IDS standards
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: IDS standards

  1. #1
    HYBR|D
    Guest

    IDS standards

    Hi I have posted a question on remote IDS and no one has answered this! Is it that nobody is sure on how to answere this question correctly?? Im sure not but ill ask again.
    At work, if I set up a IDS is it possable for me to set it up so I can monitor it from home? How does it send messages? In what way? any help would be greatly appreciated

    Best Regards HYBRID :: Thanks in advance

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Probably no answers because you failed to mention what product, what platform, what environment, etc...Pretty much impossible to answer such a generic question...

    Aside from that, answer the platform question yourself and think about how you would get to that box remotely normally, and you will probably answer the question yourself.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    712
    I think nebulus hit it on the head... generic questions are generally met with rather blank stares - kind of like walking in to a ticket broker and asking them if "the show" is on sale.

    So... the answer to your question(s) is an unequivocal "yes."

    To be a little less ambiguous than you yourself were... if you can talk to it on the network in some form, chances are, it can talk to you - and vice versa. (but that's actually a much more difficult and convuluted answer than it surely appears)
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  4. #4
    HYBR|D
    Guest
    Thanks for the feed back and yes you both are right! Ok The network consists of 3 Linux Debians (File Server, Web Server and Mail server) there are also 5 Win 2000 servers running file servers and Dial up servers, 1 boarder router and 1 internal router and there are 2 firewalls infront of each server setup eg. 1 infront of the Linux and 1 infront of the win2000, they all have basic and shitty logs, i want to monitor all traffic and logs from all servers, routers and firewalls? if you guys want to know more please ask! all help is a god send
    thanks again in advanced

  5. #5
    Senior Member
    Join Date
    Apr 2002
    Posts
    712
    Hmmm... well, you ask about IDS, but you give network specs (sort of).

    Ideally, hosts should log to themselves and to a network location elsewhere (as a minimum).

    As far as network IDS goes, well placement's a bit of a holy war... you still haven't indicated what you are planning on using, etc.
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  6. #6
    HYBR|D
    Guest
    hmm snort, for the *ix based OS's and I havnt come accross many win32 IDS's, please i need all the help i can get with IDS's

  7. #7
    HYBR|D
    Guest
    hmm snort, for the *ix based OS's and I havnt come accross many win32 IDS's, please i need all the help i can get with IDS's

  8. #8
    Senior Member
    Join Date
    Apr 2002
    Posts
    712
    Last I knew, putting Winblowz in to promiscuous mode kinda sucked... even ISS has a BSD appliance with an NT console (ie. the part doing the real work is on UN*X).
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  9. #9
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Well, what you seem to be asking about is how to get all the logs in one place. I am not sure about the winblowz boxes, but the rest of the things you mentioned should all be able to write to a remote syslog server (which they really should be doing in the first place to protect logs/evidence).

    As far as IDS goes, you would be well served by placing a NIDS at your internet connection. Easiest thing to do is get a simple box with plenty of memory and throw snort on it. It is free, it is fast, frequently updated, and is overall pretty damn good (drawback can be monitoring/database watching, although there are plenty of web based frontends that help with it pretty significantly).

    Now to get to the original question, you could monitor both of what I have mentioned from anywhere you want; however, I would make sure to lock the access down tight to your remote IP and your remote IP only, otherwise you are inviting disaster (think of all the lovely information someone on the internet could see about your network/servers/accounts if they could browse your snort logs)

    Hope that helps,

    neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  10. #10
    HYBR|D
    Guest
    Thanks NEB well you have helped greatly i just have a few more questions. once this is set up, iand i get a message from the iDS how do i trace that ip to find who it is etc, and what they have been doing and where they have been i know its alot to ask but you seem to know what your talking about. I know all about whois and the rest but that will gimmi a ISP and thats it yes or no?

    thanks again for your help

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •