April 14th, 2004, 01:51 PM
Who what where IDS?
Recently my boss asked me if i would like to takle on the task of implementing an IDS.
Now, I hardly know anything about network security and it absolutely fascinates me.
I've done some reading on some free or extremely low cost IDS solutions (being I work for a K-12 school system, and they can barely affort to pay me.) snort seems to be the most popular IDS app. I was wondering, has anyone heard of the EagleX package and what are your opinions of that package? Any input would be greatly appreciated.
April 14th, 2004, 03:00 PM
I would stick with good ole snort, Any unix version is great, the win32 platform is still lacking in speed in my opinion. Marty has done a fantastic job writing code for that program.
\"\"Every day is a 0-day day on the Internet\"\"
April 14th, 2004, 03:20 PM
Umm, EagleX is a "box set" that includes snort, along with a gui that makes things a tad easier for a newbie to set up. I played with it a bit, but since I (currently) really have no use for it, I dumped it awhile back.
IMHO, the learning curve was a bit stiff, but I suppose anything worth learning is the same way. Each of the individual modules (snort, mySqueal, etc ) have adequate forums that should help you muddle through.
And it's free...so I would at least encourage you to try it out.
April 14th, 2004, 03:36 PM
/not intending to get into the proverbial pi$$ing match but the speed of the Win32 port is not a problem at all.
Look at it from the simple POV. As long as I see the alert in a timely fashion, and lets face it - you don't sit there watching a real time alerts 24 hours a day - then who cares about a second here or there? And in reality we are talking milliseconds.
DubYah: I use the Win32 port on a 650 user network with 6 web sites, mail servers and FTP sites.... all the standard stuff and there is no problem whatsoever with Snort. I highly recommend Snort for anyone who wants an IDS whether they want a free one or have a million dollars to throw at an IDS. IMO, Snort stands with the best of them and the price is right on the "button".
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
April 14th, 2004, 03:36 PM
Snort is defenitly the way to go, it's a little hard to setup rules and what not at first, but there are some great tutorials out there. My biggest problem was I had a WAP that was blasting snmp broadcasts, about 30,000 a day. Made for some HUGE log files.
(kr5kernel at hotmail dot com)
Linux: Making Penguins Cool Since 1994.
April 14th, 2004, 05:29 PM
I certainly appreciate the feedback.
I will gather some more information on Snort and of course if and when I come to
a brickwall, I will come to my knowledgable friends here @ AO.
April 14th, 2004, 05:34 PM
DubYah, if you have some budget and want something more than just the online documentation I have found Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID by Rafeeq Rehman to be a good guide at understanding how snort works.
April 14th, 2004, 06:13 PM
I wrote a tutorial on Network Based Intrusion Detection Solutions. It goes into quite a bit of detail, you might be able to take advantage of it.