Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: IDS standards

  1. #11
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Whois is all you need to know who was doing what. I recommend that you download and install snorth and its signatures, let it run for a while, and then keep checking what every event that shows up is. Snort (as well as others) will vividly describe what it sees and why it thinks its bad. Just remember, IDS boxes are just like AV software, they only detect 'known attack signatures'. They could, depending on how the filter is written, miss an attack that has been modified, or varients of the same attack. In other words, you will not be able to see everything that has been going on, but usually enough to know someone was up to no good...

    neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  2. #12
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    Well, if you set snort to log to syslog(for *nix), you can use swatch or logcheck to monitor the log and mail you under certain conditions.

    It is possible to run snort on win32 platforms, binaries are available here

    http://www.snort.org/dl/binaries/

    Maybe there is a utility available for windows which could take care of the notification, I dont know.

    Also, you could set snort to log to mysql, and find a script or something which will periodically check for new additions to the database, and mail those to you.

    Also, there is something called ACID which is an analysis console for snort, basically a webpage, I suppose you could use that remotely, although Im not sure you would really want it set up that way as now your IDS box would have to make services available from the internet and that could lead to a compromised IDS box.

  3. #13
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    There is also demarc (IMHO a little better/more user friendly) than acid and snortreport (never used it) for SNORT frontends (http://www.snort.org/dl/contrib/front_ends).

    demarc was at one time (and I think still is) free for non-commercial use (same with acid). They are both basically http front ends and if you take the time to properly secure the server with access-lists/authentication/patches and restrict access at your firewall, it should be 'ok' to use.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #14
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    Sorry for the short reply..

    I found one tool for Windows/Snort in my mail yesterday and it may be worth checking out ?

    IDScenter : Snort IDScenter is a GUI for Snort IDS on Windows platforms.

    Remember that this is a beta and not a stable release, I would not recomend to put it in production without some thorough test first .

    ~micael

  5. #15
    HYBR|D
    Guest
    Ta, so far so good, Ive got that snort control center and i use it for my pc at home it is very handy and btw Thanks to everybody for their help if anything else comes up please dont hesitate to post.

    Regards HYBR|D

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •