Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Snort

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    458

    Snort

    I have been reading these forums for quite some time now, and I really think there is a lack of attention to IDS systems. I have been using snort on linux, openbsd, and freebsd and I really think it is great.

    What I would like to hear from you guys is first, if anyone has any experience with it, second, how are you using it in your environment, and third, it would really be nice to hear something maybe about your favorite snort tips and tricks.

    My company just developed a branded network based IDS based on snort, and it has really been a pretty cool project to work on. We are currently using Demarc as the front end, with a few modifications of course, and have deployed it in several networks so far where it has been greatly appreciated by our clients. The one area we have not really perfected yet is management of multiple snort ids boxes across the enterprise from a single enforcement point. One thing especially is being able to securely push out signature files to all the sensors on the network with an automated process. Are there any tools already existing for something like this?

    I would greatly appreciate any help anyone can give me. Thanks in advance.

  2. #2

    Lightbulb Re: Snort

    I have been reading these forums for quite some time now, and I really think there is a lack of attention to IDS systems.
    - Do'h.. I was writing a tutorial on snort and you posted the topic first. ARGH!!.. ah well.
    Good post

    " I have been using snort on linux, openbsd, and freebsd and I really think it is great. "

    - I agree. I don't have it on any other OS but win but i think its great.

    What I would like to hear from you guys is first, if anyone has any experience with it, second, how are you using it in your environment, and third, it would really be nice to hear something maybe about your favorite snort tips and tricks.
    - I have a little experience with it.. just got it a few days ago. I'm using it at home and at school and i don't know any tricks for it yet. Any tips or tricks would be appreciated.

    "My company just developed a branded network based IDS based on snort, and it has really been a pretty cool project to work on."

    - I WANT A COPY!!!

    "We are currently using Demarc as the front end, with a few modifications of course, and have deployed it in several networks so far where it has been greatly appreciated by our clients. The one area we have not really perfected yet is management of multiple snort ids boxes across the enterprise from a single enforcement point. One thing especially is being able to securely push out signature files to all the sensors on the network with an automated process. Are there any tools already existing for something like this?"

    - Don't have a clue.. but grats on the new IDS.

    I would greatly appreciate any help anyone can give me. Thanks in advance.
    - Sorry I couldn't be of any help but good post iNViCTuS


    Remote_Access_

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    Good post iNViCTuS.

    I have started to evaluate snort and other IDS solutions, but I'm still in the "trial and error" fase. I have a snort IDS currently up and running (at home) and I have to say that I love it .

    One thing especially is being able to securely push out signature files to all the sensors on the network with an automated process. Are there any tools already existing for something like this?
    I'm not a code expert but a friend wrote a script solution for a similiar program (in solaris). The script invoked SSH and copied (don't know with what program) the files to the destinations where a new script did put the files in place.

    I guess a good solution is simply to ask at Snort.SourceFire.Com Discussion. If not anyone here at AO have good knowledge and can help you out!?

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    157

    Arrow ids in use

    I use snort both on my machine at home and on machines at work. Coupled with Shadow and a bit of elbow grease it's great.

    Previously I worked with some other commercial products that automagically would crank out reams of reports to glitz the managers but didn't really do me much good.

    Now it's a bit tedious for me to gen rpts when asked.

    I guess there's always a trade off between what'll sell to the mgrs and what the techs actually need.
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-==-=
    Noah built the ark BEFORE it rained.


    http://ld.net/?rn
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-==-=

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    742

    Re: Snort

    Originally posted by iNViCTuS
    The one area we have not really perfected yet is management of multiple snort ids boxes across the enterprise from a single enforcement point. One thing especially is being able to securely push out signature files to all the sensors on the network with an automated process. Are there any tools already existing for something like this?

    I would greatly appreciate any help anyone can give me. Thanks in advance.
    Can any this tools be of interest to you?

    • Source: www.conostix.com
      IPFC is a software and framework to manage and monitor multiple types of security modules across a global network. Security modules can be as diverse as packet filters (like netfilter, pf, ipfw, IP Filter, checkpoint FW1...), NIDS (Snort, arpwatch...), webservers and other general devices (from servers to embedded devices).
    • Source: http://www.activeworx.com
      IDS Policy Manager - is a powerful way to modify the snort configuration and rule files. Some key features are: Graphical interface for easily manageability of snort rule and configuration files
      - Merge new official snort rules into existing rule files
      - Merge Whitehat (arachNIDS) rules into existing rule files
      - Make quick changes to snort rules
      - Easy to manage multiple sensors with multiple policy files
      - Upload policy files via FTP or SCP
      - Full support for all Snort 1.8 Preprocessors
      - Full support for all Snort 1.8 output processors
      - Easy to learn more information about a signature from popular databases such as - - - CVE, BugTraq, Mcafee, arachNIDS and custom URL's
      - Add rules easily by line, multiple lines or make your own custom signatures

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    458

    IDS Forum

    I think there should be an IDS forum here at AO. I think there is a lot that can be discussed about the subject, and it is very interesting (to me at least )

    Maybe we should suggest it to JP?

    Thank you guys for the replies...they gave me some good ideas. I too will put together a Snort/Demarc Tutorial that should be very helpful to everyone.

    BTW...If any of you guys are interested in seeing the IDS we have been working on, we have a demo set up. When you go to the following link, when it asks you to login....just click anonymous

    http://rid.remingtonltd.com/rid/rid

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    Great idea !

    I think there should be an IDS forum here at AO. I think there is a lot that can be discussed about the subject, and it is very interesting (to me at least )
    I think it would be a great idea with a forum for IDS but I would like to expand the idea to include honeypot and honeynet since they in some cases are quite near a host based IDS, a good example is Specter which is a interesting solution for win32, more to read here.

    Thanks for sharing I'll take a look at your IDS !

    ~micael

  8. #8
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193

    Cool good post

    I agree and we should have one for ids
    I've experience on some other brand name ids but not on snort. So I tried it on solaris but it never worked

    I think I may have botched the download file in transfer because it chokes on install - right at the end. Waiting to see the tut on it tho
    Trappedagainbyperfectlogic.

  9. #9
    Junior Member
    Join Date
    Jan 2002
    Posts
    16
    IDS forum!!!! :-) Please!

    if you don't find the tool you'ld like here. Please do post to http://snort.rapidnet.com/

    I know the guy who wrote snort (as many of you might), he tries his best to ensure snort and associated tools are usefull to the comunity.

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    742

    Lightbulb Denial of Service in Snort

    Denial of Service in Snort

    Reported January 28, 2002, by Internet Security Systems.

    VERSIONS AFFECTED
    Snort Intrusion Detection System for all platforms with 1.8.3 and earlier

    DESCRIPTION
    A remote Denial of Service (DoS) condition exists in the open-source Intrusion Detection System (IDS) Snort. An attacker can use specially crafted Internet Control Message Protocol (ICMP) echo and echo-reply packets with less than 5 bytes of ICMP data to remotely crash the system.

    VENDOR RESPONSE
    Snort recommends that affected users apply the available patch and recompile the binaries or download the latest version (build 90 or better) from their CVS tree.

    CREDIT
    Discovered by Sinbad.

    Source: Security Administrator.

    Links:
    Snort
    Snort Patch
    Latest Snort


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •