Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: *very* many snort installations..

From: "Adriel T. Desautels" <atd () secnetops com>
Date: Mon, 01 Dec 2003 15:54:52 -0500
Hugh,
Host and network IDS are not always different animals, in particular when they work with each other. Host based IDS means that you do not have to rely on the network for your "trigger" information. I actually write an article on the issues with IDS which can be found at: 

http://www.masshightech.com/displayarticledetail.asp?art_id=63368&cat_id=259
In summary, I discuss how NIDS alone is a failure as it relies on JUST the network. All of us know that you can spoof packets and forge traffic. Because of this, you can also make NIDS go nuts if you are crafty enough. Our IDS solution is actually an NIDS enhancer which adds HIDS functionality to your current NIDS solution. It also adds centeralization, data consolidation, and data correlation for high speed viewing and false positives validation. It is not really an NIDS system tho as we don't make the NIDS engines. It currently only supports SNORT but will soon support ISS products.
At any rate, if anyone has any questions about turning your current NIDS into an NIDS+HIDS, let me know. 



hugh_fraser () dofasco ca wrote:


The host and network IDS's are different animals. Symantec (and several
other companies) offer a HID that monitors and enforces policies that
define how applications on the host behave. While this includes network
activity, it goes beyond that to include access to any resources on the
host. It's very different, but at the same time complimentary, to what a
NID does. Both provide valuable insight into what's happening in your
environment, and are indispensable when doing the forensic work your
talking about.

Deployment of NID technology on all workstations may provide more
resolution than you need if there are key network "hubs" in through
which all internal traffic passes. As always, start with the perimeter
firewalls, but also include dialup access points (i.e.. Citrix,
reachout, etc.). Internally, monitor the routers, hubs, firewalls, etc..
As well, monitor servers providing common networking services, such as
proxy servers. If you're running a switched network and using VLANs to
segment traffic, monitor systems that may straddle multiple VLANs, such
as domain controllers, dns or dhcp servers, etc.. With some up-front
effort, you may find that a much smaller deployment if NIDs can provide
you with the ability to track activity, without an overwhelming
infrastructure to manage.

In the same way, deploying a HID to 10,000 machines may also be
overkill. Again, the selection of key points to monitor may provide you
with the information you need.

Don't underestimate the impact of either of these technologies on the
systems to which they're deployed. HIDs, especially, may require
considerable amounts of hand-holding before they become invisible to the
end user. In anything other than vanilla applications that the HID
understands out of the box, it will need to be taught what to expect
before it can be deployed to provide non-noise information. And if
you're using them to enforce policies rather than just monitor for
violations, this training will be even more important unless your help
desk enjoys extra work.

Enforcement is the holy grail we're all looking for, since it's a
reality that you will at some point suffer an intrusion, and enforcing
policies (whether in a NID or a HID) is what will allow you to contain
the intrusion and limit the damage.

With regards to the collection of traffic from 10,000 machines,
hierarchical approaches need to be used to deal with the load. In a
large environment, it typically makes sense to have local collection
agents that do some form of filtering and correlation and forward
traffic on to higher levels that have a more enterprise view. This buys
you several benefits... Each local collection agent can be relatively
autonomous, giving you a degree of fault tolerance. It localizes
potentially heavy network traffic in the event of an intrusion. Finally,
it provides you with a scalable architecture that can be adapted to
arbitrary changes either in capacity or topology.

Hugh Fraser
Senior Technical Specialist
Dofasco Inc.


-----Original Message-----
From: Jason Haar [mailto:Jason.Haar () trimble co nz] Sent: Wednesday, November 26, 2003 6:01 PM 
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] *very* many snort installations..


On Thu, 2003-11-27 at 04:46, Michael Steele wrote:

The solution is not to install Snort on every workstation.
Strange - companies like Symantec would disagree with you. They certainly think there's a future in host-based IDS.
Of course, the IDS is easy - it's the centralised management that's hard... How you handle 10,000 hosts all sending 100 alerts/sec to your central console when SLAMMER-IV hits one machine is beyond me ;-)
[to be fair, I'm confusing centralised management with centralised logging here] 


Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ 
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/s> nort-users
Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users 




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




--
Regards, Adriel T. Desautels 
        Secure Network Operations, Inc.
        Phone: 978-263-3829 ||  Fax : 978-263-0033
       "Embracing the future of technology, protecting you."
        
        ----------------------------------------------------------
       Enhance your IDS-------: http://www.secnetops.com/products
        Nightly Security Audtis: http://www.secnetops.com/services
        





-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: