Results 1 to 4 of 4

Thread: RNA

  1. #1
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834

    RNA

    I have been spending numerous hours on Snort.org planning and attempting to implement a complete IDS system. All this based on some advice from Senior members and various discussions relating to IDS and linux. Today I happened upon a link from snort.org that discusses the next possible step in analyzing network incidence. RNA = Real Time Network Analysis. Normally I wouldn't be interested (big bucks) but this is from SourceFire (who I respect) and kind of endorsed by Snort.org. What is really cool is, a webinar is coming up on July 29th. Grab some coffee or chips and have a watch... I'll see ya there.


    www.snort.org

    RNA white paper at sourcfire.com
    http://www.sourcefire.com/technology/whitepapers.htm

    Registration
    http://www.sourcefire.com/wp_request...istration.html
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  2. #2
    Senior Member
    Join Date
    Mar 2002
    Posts
    442
    Good luck with snort, I have been using it for about a year now, and have had very, very few problems. It is the best piggy sniffer/IDS engine out there. I have snort set up on a linux box between my server and router connected to a hub repeater, with iptables set to drop all outgoing packets. So it is basically completely invisible.

    A word of advice to, when setting up snort, or any IDS for that matter, make sure you set it up 'properly', and know what you are doing. False positives are time consuming and annoying, but are better than not noticing an attack. The best way I have found to set up snort is to configure it to log everything for about a week, so you understand what traffic is normal for the network you are connected to, then procede to implement rules and your configuration based upon the default network traffic. I wrote a tutorial about Network Based Intrusion & Detection a while back, but it would still be a good guide to help you out, here is a link. Good luck.

  3. #3
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Snort IS great I agree. I am still playing with it's config. I am using syslog to monitor snort so I didn't install ACID or MySQL, etc. I am regretting it now and may install it later. Additionally you have to taylor rule sets based on your institutions security policies. What may pass in one network may cause serious consequences in another.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  4. #4
    Junior Member
    Join Date
    Nov 2002
    Posts
    1
    I had the pleasure of listening to and speaking with Marty Roesch at a SANS conference recently (for those who don't dont, he wrote SNORT and started source fire). Source fire's RNA looks incredible and much better then intrusion prevention type systems, however, he says RNA will only be released in the Sourcefire appliances and not for the snort open source comunity. I must say, his appliance based stuff for Sourcefire is truly amazing. If only I had the budget to match :-)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •