RE: Re: Intrusion Detection recommendations

["Darden, Patrick" <Patrick.Darden () p66 com>]

These are all excellent tools for a dedicated knowledgeable network security person to use.  The most important element 
being the dedicated knowledgeable network security person.

--p

-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Jimmy Hess
Sent: Saturday, February 14, 2015 12:57 PM
To: Randy Bush
Cc: North American Network Operators' Group
Subject: [EXTERNAL]Re: Intrusion Detection recommendations

On Sat, Feb 14, 2015 at 2:38 AM, Randy Bush <randy () psg com> wrote:

Bro, SNORT, SGUIL, Tcpdump, and Wireshark are some nice tools.

By itself, a single install of Snort/Bro is not necessarily a complete IDS,  as it cannot inspect the contents of 
outgoing SSL sessions,  so there can still be Javascript/attacks against the browser, or SQL
injection attempts encapsulated in the encrypted tunnels;    I am not
aware of an open source tool to help you with SSH/SSL interception/SSL decryption for implementation of  network-based 
IDS.

You also need a hand-crafted rule for each threat  that you want Snort to identify...
Most likely this entails making decisions about what commercial
ruleset(s) you want to use and then buying the appropriate subscriptions.


> if you were comfortable enough with freebsd to use it as a firewall, 
> you can run your traffic through, or mirror it to, a freebsd box running
>    https://www.bro.org/ or
>    https://www.snort.org/
> two quite reasonable and powerful open source systems
>
> randy
--
-JH