Looking for a prebuilt Snort IDS Distro

[Doug Burks <doug.burks () gmail com>]

Hi Pak,

You can manually configure Security Onion as an IPS but that's not
what it was designed for and we don't support it.

We do support BPFs for ignoring specific IP addresses.

If you have further questions specific to Security Onion, please feel
free to use our mailing list:
http://groups.google.com/group/security-onion

Thanks,
Doug

On Saturday, September 22, 2012, Pak Chan wrote:
> Sorry, that was really badly phrased. I meant to say that I haven't discovered all of what it can do yet, so can't 
> comment on its capabilities or lack thereof. I'm still in the process of configuring it (and will be for a while, 
> mixed in with other work). I also haven't decided if I want to have it as an inline sensor/network filter (can it 
> filter as well as sense?) or just an out-of-band sensor.
>
> I'll also need to see about configuring it to ignore certain IP addresses occasionally (for targeted penetration 
> tests, etc.), which I've not looked into yet.
>
> So, I might as well ask the questions: can I use SO as a network filter, and can I configure it to allow pen tests on 
> servers without triggering massive amounts of alerts?
>
> Pak
> "Build a fire for a man, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life."
>
>
> On 21 September 2012 23:09, Jeremy Hoel <jthoel () gmail com> wrote:
>
> Out ojmf curiosity, what does SO not do for you?
>
> On Sep 21, 2012 5:33 PM, "Pak Chan" <brightlilim () gmail com> wrote:
>
> That may be true, but there are people who just need an IDS, and having an easy-to-use IDS appliance (which is 
> effectively what a distro is, or should be) will help that. Most people won't delve into the code to understand how 
> it works underneath, in the same way that most people just purchase and install firewalls without understanding how 
> they work. It means they won't get the best out of it, but it's a great deal better than if they didn't have one at 
> all.
>
> Personally, I'm in that situation at the moment. The last time I looked at an IDS was one I had helped to build about 
> ten years ago, and it was so primitive compared to the capabilities modern ones have. I'm getting back into it again, 
> and finding myself short on time to learn about the fundamentals, I've decided to go for the SecurityOnion distro. It 
> doesn't satisfy everything I want (yet), but that's down to my lack of experience in tweaking it. I'll get better as 
> I learn more about it, but I don't want to be exposed in the meantime. I'll settle for less-than-ideal in the short 
> term.
>
> Pak
> "Build a fire for a man, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life."
>
>
> On 21 September 2012 17:51, PR <oly562 () gmail com> wrote:
>
> ps. it shouldn't matter what distro, unix/linux, its nix, prebuilt? that
> means, no real configuring at the beginning, therefore, you will not
> learn how it works, where it is, how it can be tweeked, unless you are a
> wizard. not to say you can figure it out, it just means, you will have
> less knowledge about how it works at the core.
>
> On Fri, 2012-09-21 at 13:14 +0000, Turnbough, Bradley E. wrote:
> > From: Jaime Nebrera [mailto:jnebrera () gmail com]
> > Sent: Friday, September 21, 2012 2:51 AM
> > To: snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] Looking for a prebuilt Snort IDS Distro
> >
> >
> >
> >
> > On 20/09/12 15:26, Turnbough, Bradley E. wrote:
> >
> > I’m looking for a prebuilt snort IDS Distro.  Preferrably based on the
> > Centos 6 series.  Any Suggestions?
> >
> >
> >
> > I’d like it to have (at a minimum):
> >
> >
> >
> > Snort
> >
> > Barnyard 2
> >
> > Snorby
> >
> > Mysql
> >
> >
> >
> >
> >
> >   Hi Bradley,
> >
> >   I would suggest redBorder.net
> >
> >   It contains Snort, Barnyard 2, Snorby (for event management) and
> > MySQL. Besides those, you have a very powerful rule manager, config
> > system and SNMP monitoring as an extension of Snorby and performance
> > enhancements on the Snort side.
> >
> >   It is free for registered users and under open source license.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Exactly what I was looking for…. Thanks Jamie!
> >
> >
> > This e-mail transmission contains information that is confidential and
> > may be privileged. It is intended only for the addressee(s) named
> > above. If you receive this e-mail in error, please do not read, copy
> > or disseminate it in any manner. If you are not the intended
> > recipient, any disclosure, copying, distribution or use of the
> > contents of this information is prohibited. Please reply to the
> > message immediately by informing the sender that the message was
> > misdirected. After replying, please erase it from your computer
> > system. Your assistance in correcting this error is appreciated.
> > ------------------------------------------------------------------------------



--
Doug Burks
http://securityonion.blogspot.com



-- 
Doug Burks
http://securityonion.blogspot.com

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://ad.doubleclick.net/clk;258768047;13503038;j?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!