Who what where IDS?

Printable View

April 14th, 2004, 01:51 PM
DubYah

Who what where IDS?

Recently my boss asked me if i would like to takle on the task of implementing an IDS.
Now, I hardly know anything about network security and it absolutely fascinates me.
I've done some reading on some free or extremely low cost IDS solutions (being I work for a K-12 school system, and they can barely affort to pay me.) snort seems to be the most popular IDS app. I was wondering, has anyone heard of the EagleX package and what are your opinions of that package? Any input would be greatly appreciated.
Thanks!
-DubYah
April 14th, 2004, 03:00 PM
RawGutts

I would stick with good ole snort, Any unix version is great, the win32 platform is still lacking in speed in my opinion. Marty has done a fantastic job writing code for that program.
April 14th, 2004, 03:20 PM
groovicus

Umm, EagleX is a "box set" that includes snort, along with a gui that makes things a tad easier for a newbie to set up. I played with it a bit, but since I (currently) really have no use for it, I dumped it awhile back.

IMHO, the learning curve was a bit stiff, but I suppose anything worth learning is the same way. Each of the individual modules (snort, mySqueal, etc ) have adequate forums that should help you muddle through.

And it's free...so I would at least encourage you to try it out.
April 14th, 2004, 03:36 PM
Tiger Shark

/not intending to get into the proverbial pi$$ing match but the speed of the Win32 port is not a problem at all.

Look at it from the simple POV. As long as I see the alert in a timely fashion, and lets face it - you don't sit there watching a real time alerts 24 hours a day - then who cares about a second here or there? And in reality we are talking milliseconds.

DubYah: I use the Win32 port on a 650 user network with 6 web sites, mail servers and FTP sites.... all the standard stuff and there is no problem whatsoever with Snort. I highly recommend Snort for anyone who wants an IDS whether they want a free one or have a million dollars to throw at an IDS. IMO, Snort stands with the best of them and the price is right on the "button".
April 14th, 2004, 03:36 PM
kr5kernel

Snort is defenitly the way to go, it's a little hard to setup rules and what not at first, but there are some great tutorials out there. My biggest problem was I had a WAP that was blasting snmp broadcasts, about 30,000 a day. Made for some HUGE log files.
April 14th, 2004, 05:29 PM
DubYah

I certainly appreciate the feedback.
I will gather some more information on Snort and of course if and when I come to
a brickwall, I will come to my knowledgable friends here @ AO.
thanks again.
-DubYah
April 14th, 2004, 05:34 PM
MrLinus

DubYah, if you have some budget and want something more than just the online documentation I have found Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID by Rafeeq Rehman to be a good guide at understanding how snort works. :)
April 14th, 2004, 06:13 PM
The3ntropy

http://www.antionline.com/showthread...hreadid=242664
I wrote a tutorial on Network Based Intrusion Detection Solutions. It goes into quite a bit of detail, you might be able to take advantage of it.