nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Intrusion Detection recommendations

From: Charles N Wyble <charles () thefnf org>
Date: Sat, 14 Feb 2015 14:03:05 -0600
Checkout security onion. Its got a pretty nice suite of tools and can run a (or many) dedicated sensor system and 
communicate back to a central system.

As for SSL MITM, see the recent nanog thread for a full layer 2 to layer 8 ramifications of that activity. 

For ssh mitm, I don't know of any tools. I'm looking for one. 

On February 14, 2015 12:57:29 PM CST, Jimmy Hess <mysidia () gmail com> wrote:

On Sat, Feb 14, 2015 at 2:38 AM, Randy Bush <randy () psg com> wrote:

Bro, SNORT, SGUIL, Tcpdump, and Wireshark are some nice tools.

By itself, a single install of Snort/Bro is not necessarily a complete
IDS,  as it cannot inspect the contents of outgoing SSL sessions,  so
there can still be Javascript/attacks against the browser, or SQL
injection attempts encapsulated in the encrypted tunnels;    I am not
aware of an open source tool to help you with SSH/SSL interception/SSL
decryption for implementation of  network-based IDS.

You also need a hand-crafted rule for each threat  that you want Snort
to identify...
Most likely this entails making decisions about what commercial
ruleset(s) you want to use and then buying the appropriate
subscriptions.



if you were comfortable enough with freebsd to use it as a firewall,

you

can run your traffic through, or mirror it to, a freebsd box running
   https://www.bro.org/ or
   https://www.snort.org/
two quite reasonable and powerful open source systems

randy

--
-JH

!DSPAM:54df9aed198762108866735!


-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Previous By Date Next
Previous By Thread Next

Current thread: