PaulDotCom mailing list archives
Re: IDP/IDS
From: Will Metcalf <william.metcalf () gmail com>
Date: Tue, 14 Sep 2010 15:48:00 -0500
Whatever you do I would make sure that you have the following complimentary technologies as IDS alerts alone generally don't mean squat without context surrounding them. 1. Huge rotating Full-Content packet capture (disk space is cheap these days), from which you can extract info based on IDS events or via custom BPF's. 2. Flow logging that you will retain for much, much longer than your Full-Content data. 3. Centralized Logging of OS, Application, FW, logs etc that can be queried ad hoc. I was broke couldn't even afford splunk so enabled the OSSEC logall option and wrote a web front end to zgrep that allowed for stacked queries. 4. Tools to make quick work of the extracted pcap and flow data. Plenty have been mentioned recently on the list. If you decide to go the open source route for one or all of these things. Here is some info that might be helpful that I cut from a presentation I did a few months ago. Full content packet capture.. PF_RING (Make the rest of the apps below go faster) http://www.ntop.org/PF_RING.html My Quick look at Zero-Copy BPF for Suricata in FreeBSD 8. http://node5.blogspot.com/2009/11/very-quick-look-at-zero-copy-bpf-in.html Wireshark http://www.wireshark.org/ Daemonlogger http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html OpenFPC (looks pretty slick! Haven't played with it yet) tcpdump (supports setting pcap buff size via -B and uses option similar to phil woods mmap patch since libpcap 1.0 if kernel supports it.) http://www.tcpdump.org/ Flow Logging Argus (There are others, but this is the best IMHO. Good for on-demand stats) http://www.qosient.com/argus/ Yaf http://tools.netsa.cert.org/yaf/ Sancp http://www.metre.net/sancp.html Tools to use for analysis of full content packet captures. My dumb little pcap parser (Simply applies user provided bpf to multiple rotating pcaps. Uses argus as indexing.) http://doc.emergingthreats.net/bin/view/Main/PcapParser Network Miner(windows) http://networkminer.sourceforge.net/ Xplico(Web interface) http://www.xplico.org/ Honeysnap(python) http://www.honeynet.org/project/Honeysnap ChoasReader(Amazing.. perl, 6 years old, still handy) http://www.brendangregg.com/chaosreader.html ngrep(simple string and regex matching for packets) http://ngrep.sourceforge.net/ _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- IDP/IDS Craig Freyman (Sep 13)
- Re: IDP/IDS Bigger Thomas (Sep 13)
- Re: IDP/IDS Carlos Perez (Sep 13)
- Re: IDP/IDS Juan Cortes (Sep 13)
- Re: IDP/IDS Albert R. Campa (Sep 13)
- Re: IDP/IDS Juan Cortes (Sep 13)
- Re: IDP/IDS Mike Patterson (Sep 13)
- Re: IDP/IDS CP Constantine (Sep 14)
- Re: IDP/IDS Will Metcalf (Sep 14)
- Re: IDP/IDS CP Constantine (Sep 14)