Re: Looking for a prebuilt Snort IDS Distro

[Pak Chan <brightlilim () gmail com>]

Sorry, that was really badly phrased. I meant to say that I haven't
discovered all of what it can do yet, so can't comment on its capabilities
or lack thereof. I'm still in the process of configuring it (and will be
for a while, mixed in with other work). I also haven't decided if I want to
have it as an inline sensor/network filter (can it filter as well as
sense?) or just an out-of-band sensor.

I'll also need to see about configuring it to ignore certain IP addresses
occasionally (for targeted penetration tests, etc.), which I've not looked
into yet.

So, I might as well ask the questions: can I use SO as a network filter,
and can I configure it to allow pen tests on servers without triggering
massive amounts of alerts?

Pak
"Build a fire for a man, and he'll be warm for a day. Set a man on fire,
and he'll be warm for the rest of his life."


On 21 September 2012 23:09, Jeremy Hoel <jthoel () gmail com> wrote:

> Out ojmf curiosity, what does SO not do for you?
> On Sep 21, 2012 5:33 PM, "Pak Chan" <brightlilim () gmail com> wrote:
>
> > That may be true, but there are people who just need an IDS, and having
> > an easy-to-use IDS appliance (which is effectively what a distro is, or
> > should be) will help that. Most people won't delve into the code to
> > understand how it works underneath, in the same way that most people just
> > purchase and install firewalls without understanding how they work. It
> > means they won't get the best out of it, but it's a great deal better than
> > if they didn't have one at all.
> >
> > Personally, I'm in that situation at the moment. The last time I looked
> > at an IDS was one I had helped to build about ten years ago, and it was so
> > primitive compared to the capabilities modern ones have. I'm getting back
> > into it again, and finding myself short on time to learn about the
> > fundamentals, I've decided to go for the SecurityOnion distro. It doesn't
> > satisfy everything I want (yet), but that's down to my lack of experience
> > in tweaking it. I'll get better as I learn more about it, but I don't want
> > to be exposed in the meantime. I'll settle for less-than-ideal in the short
> > term.
> >
> > Pak
> > "Build a fire for a man, and he'll be warm for a day. Set a man on fire,
> > and he'll be warm for the rest of his life."
> >
> >
> > On 21 September 2012 17:51, PR <oly562 () gmail com> wrote:
> >
> > > ps. it shouldn't matter what distro, unix/linux, its nix, prebuilt? that
> > > means, no real configuring at the beginning, therefore, you will not
> > > learn how it works, where it is, how it can be tweeked, unless you are a
> > > wizard. not to say you can figure it out, it just means, you will have
> > > less knowledge about how it works at the core.
> > >
> > > On Fri, 2012-09-21 at 13:14 +0000, Turnbough, Bradley E. wrote:
> > > > From: Jaime Nebrera [mailto:jnebrera () gmail com]
> > > > Sent: Friday, September 21, 2012 2:51 AM
> > > > To: snort-users () lists sourceforge net
> > > > Subject: Re: [Snort-users] Looking for a prebuilt Snort IDS Distro
> > > >
> > > >
> > > >
> > > >
> > > > On 20/09/12 15:26, Turnbough, Bradley E. wrote:
> > > >
> > > > I’m looking for a prebuilt snort IDS Distro.  Preferrably based on the
> > > > Centos 6 series.  Any Suggestions?
> > > >
> > > >
> > > >
> > > > I’d like it to have (at a minimum):
> > > >
> > > >
> > > >
> > > > Snort
> > > >
> > > > Barnyard 2
> > > >
> > > > Snorby
> > > >
> > > > Mysql
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >   Hi Bradley,
> > > >
> > > >   I would suggest redBorder.net
> > > >
> > > >   It contains Snort, Barnyard 2, Snorby (for event management) and
> > > > MySQL. Besides those, you have a very powerful rule manager, config
> > > > system and SNMP monitoring as an extension of Snorby and performance
> > > > enhancements on the Snort side.
> > > >
> > > >   It is free for registered users and under open source license.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Exactly what I was looking for…. Thanks Jamie!
> > > >
> > > >
> > > > This e-mail transmission contains information that is confidential and
> > > > may be privileged. It is intended only for the addressee(s) named
> > > > above. If you receive this e-mail in error, please do not read, copy
> > > > or disseminate it in any manner. If you are not the intended
> > > > recipient, any disclosure, copying, distribution or use of the
> > > > contents of this information is prohibited. Please reply to the
> > > > message immediately by informing the sender that the message was
> > > > misdirected. After replying, please erase it from your computer
> > > > system. Your assistance in correcting this error is appreciated.
> > > ------------------------------------------------------------------------------
> > > > Got visibility?
> > > > Most devs has no idea what their production app looks like.
> > > > Find out how fast your code is with AppDynamics Lite.
> > > > http://ad.doubleclick.net/clk;262219671;13503038;y?
> > > > http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> > > > _______________________________________________ Snort-users mailing
> > > list Snort-users () lists sourceforge net Go to this URL to change user
> > > options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
> > > list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-usersPlease visit
> > > http://blog.snort.org to stay current on all the latest Snort news!
> > >
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Got visibility?
> > > Most devs has no idea what their production app looks like.
> > > Find out how fast your code is with AppDynamics Lite.
> > > http://ad.doubleclick.net/clk;262219671;13503038;y?
> > > http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Got visibility?
> > Most devs has no idea what their production app looks like.
> > Find out how fast your code is with AppDynamics Lite.
> > http://ad.doubleclick.net/clk;262219671;13503038;y?
> > http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
------------------------------------------------------------------------------
How fast is your code?
3 out of 4 devs don\\\'t know how their code performs in production.
Find out how slow your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219672;13503038;z?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!