-
January 29th, 2002, 11:09 PM
#1
Snort
I have been reading these forums for quite some time now, and I really think there is a lack of attention to IDS systems. I have been using snort on linux, openbsd, and freebsd and I really think it is great.
What I would like to hear from you guys is first, if anyone has any experience with it, second, how are you using it in your environment, and third, it would really be nice to hear something maybe about your favorite snort tips and tricks.
My company just developed a branded network based IDS based on snort, and it has really been a pretty cool project to work on. We are currently using Demarc as the front end, with a few modifications of course, and have deployed it in several networks so far where it has been greatly appreciated by our clients. The one area we have not really perfected yet is management of multiple snort ids boxes across the enterprise from a single enforcement point. One thing especially is being able to securely push out signature files to all the sensors on the network with an automated process. Are there any tools already existing for something like this?
I would greatly appreciate any help anyone can give me. Thanks in advance.
-
January 29th, 2002, 11:18 PM
#2
Re: Snort
I have been reading these forums for quite some time now, and I really think there is a lack of attention to IDS systems.
- Do'h.. I was writing a tutorial on snort and you posted the topic first. ARGH!!.. ah well.
Good post
" I have been using snort on linux, openbsd, and freebsd and I really think it is great. "
- I agree. I don't have it on any other OS but win but i think its great.
What I would like to hear from you guys is first, if anyone has any experience with it, second, how are you using it in your environment, and third, it would really be nice to hear something maybe about your favorite snort tips and tricks.
- I have a little experience with it.. just got it a few days ago. I'm using it at home and at school and i don't know any tricks for it yet. Any tips or tricks would be appreciated.
"My company just developed a branded network based IDS based on snort, and it has really been a pretty cool project to work on."
- I WANT A COPY!!!
"We are currently using Demarc as the front end, with a few modifications of course, and have deployed it in several networks so far where it has been greatly appreciated by our clients. The one area we have not really perfected yet is management of multiple snort ids boxes across the enterprise from a single enforcement point. One thing especially is being able to securely push out signature files to all the sensors on the network with an automated process. Are there any tools already existing for something like this?"
- Don't have a clue.. but grats on the new IDS.
I would greatly appreciate any help anyone can give me. Thanks in advance.
- Sorry I couldn't be of any help but good post iNViCTuS
Remote_Access_
-
January 29th, 2002, 11:41 PM
#3
Good post iNViCTuS.
I have started to evaluate snort and other IDS solutions, but I'm still in the "trial and error" fase. I have a snort IDS currently up and running (at home) and I have to say that I love it .
One thing especially is being able to securely push out signature files to all the sensors on the network with an automated process. Are there any tools already existing for something like this?
I'm not a code expert but a friend wrote a script solution for a similiar program (in solaris). The script invoked SSH and copied (don't know with what program) the files to the destinations where a new script did put the files in place.
I guess a good solution is simply to ask at Snort.SourceFire.Com Discussion. If not anyone here at AO have good knowledge and can help you out!?
-
January 30th, 2002, 05:59 AM
#4
Senior Member
ids in use
I use snort both on my machine at home and on machines at work. Coupled with Shadow and a bit of elbow grease it's great.
Previously I worked with some other commercial products that automagically would crank out reams of reports to glitz the managers but didn't really do me much good.
Now it's a bit tedious for me to gen rpts when asked.
I guess there's always a trade off between what'll sell to the mgrs and what the techs actually need.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-==-=
Noah built the ark BEFORE it rained.
http://ld.net/?rn
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-==-=
-
January 30th, 2002, 09:56 AM
#5
Re: Snort
Originally posted by iNViCTuS
The one area we have not really perfected yet is management of multiple snort ids boxes across the enterprise from a single enforcement point. One thing especially is being able to securely push out signature files to all the sensors on the network with an automated process. Are there any tools already existing for something like this?
I would greatly appreciate any help anyone can give me. Thanks in advance.
Can any this tools be of interest to you?
- Source: www.conostix.com
IPFC is a software and framework to manage and monitor multiple types of security modules across a global network. Security modules can be as diverse as packet filters (like netfilter, pf, ipfw, IP Filter, checkpoint FW1...), NIDS (Snort, arpwatch...), webservers and other general devices (from servers to embedded devices).
- Source: http://www.activeworx.com
IDS Policy Manager - is a powerful way to modify the snort configuration and rule files. Some key features are: Graphical interface for easily manageability of snort rule and configuration files
- Merge new official snort rules into existing rule files
- Merge Whitehat (arachNIDS) rules into existing rule files
- Make quick changes to snort rules
- Easy to manage multiple sensors with multiple policy files
- Upload policy files via FTP or SCP
- Full support for all Snort 1.8 Preprocessors
- Full support for all Snort 1.8 output processors
- Easy to learn more information about a signature from popular databases such as - - - CVE, BugTraq, Mcafee, arachNIDS and custom URL's
- Add rules easily by line, multiple lines or make your own custom signatures
-
January 30th, 2002, 04:07 PM
#6
IDS Forum
I think there should be an IDS forum here at AO. I think there is a lot that can be discussed about the subject, and it is very interesting (to me at least )
Maybe we should suggest it to JP?
Thank you guys for the replies...they gave me some good ideas. I too will put together a Snort/Demarc Tutorial that should be very helpful to everyone.
BTW...If any of you guys are interested in seeing the IDS we have been working on, we have a demo set up. When you go to the following link, when it asks you to login....just click anonymous
http://rid.remingtonltd.com/rid/rid
-
January 30th, 2002, 04:57 PM
#7
Great idea !
I think there should be an IDS forum here at AO. I think there is a lot that can be discussed about the subject, and it is very interesting (to me at least )
I think it would be a great idea with a forum for IDS but I would like to expand the idea to include honeypot and honeynet since they in some cases are quite near a host based IDS, a good example is Specter which is a interesting solution for win32, more to read here.
Thanks for sharing I'll take a look at your IDS !
~micael
-
January 30th, 2002, 06:24 PM
#8
good post
I agree and we should have one for ids
I've experience on some other brand name ids but not on snort. So I tried it on solaris but it never worked
I think I may have botched the download file in transfer because it chokes on install - right at the end. Waiting to see the tut on it tho
Trappedagainbyperfectlogic.
-
February 1st, 2002, 06:57 AM
#9
Junior Member
IDS forum!!!! :-) Please!
if you don't find the tool you'ld like here. Please do post to http://snort.rapidnet.com/
I know the guy who wrote snort (as many of you might), he tries his best to ensure snort and associated tools are usefull to the comunity.
-
February 4th, 2002, 12:38 PM
#10
Denial of Service in Snort
Denial of Service in Snort
Reported January 28, 2002, by Internet Security Systems.
VERSIONS AFFECTED
Snort Intrusion Detection System for all platforms with 1.8.3 and earlier
DESCRIPTION
A remote Denial of Service (DoS) condition exists in the open-source Intrusion Detection System (IDS) Snort. An attacker can use specially crafted Internet Control Message Protocol (ICMP) echo and echo-reply packets with less than 5 bytes of ICMP data to remotely crash the system.
VENDOR RESPONSE
Snort recommends that affected users apply the available patch and recompile the binaries or download the latest version (build 90 or better) from their CVS tree.
CREDIT
Discovered by Sinbad.
Source: Security Administrator.
Links:
Snort
Snort Patch
Latest Snort
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|