IDS standards

Printable View

June 19th, 2002, 03:17 PM
HYBR|D

IDS standards

Hi I have posted a question on remote IDS and no one has answered this! Is it that nobody is sure on how to answere this question correctly?? Im sure not but ill ask again.
At work, if I set up a IDS is it possable for me to set it up so I can monitor it from home? How does it send messages? In what way? any help would be greatly appreciated

Best Regards HYBRID :: Thanks in advance
June 19th, 2002, 05:23 PM
nebulus200

Probably no answers because you failed to mention what product, what platform, what environment, etc...Pretty much impossible to answer such a generic question...

Aside from that, answer the platform question yourself and think about how you would get to that box remotely normally, and you will probably answer the question yourself.
June 20th, 2002, 09:28 AM
draziw

I think nebulus hit it on the head... generic questions are generally met with rather blank stares - kind of like walking in to a ticket broker and asking them if "the show" is on sale.

So... the answer to your question(s) is an unequivocal "yes."

To be a little less ambiguous than you yourself were... if you can talk to it on the network in some form, chances are, it can talk to you - and vice versa. (but that's actually a much more difficult and convuluted answer than it surely appears)
June 20th, 2002, 11:09 AM
HYBR|D

Thanks for the feed back and yes you both are right! Ok The network consists of 3 Linux Debians (File Server, Web Server and Mail server) there are also 5 Win 2000 servers running file servers and Dial up servers, 1 boarder router and 1 internal router and there are 2 firewalls infront of each server setup eg. 1 infront of the Linux and 1 infront of the win2000, they all have basic and shitty logs, i want to monitor all traffic and logs from all servers, routers and firewalls? if you guys want to know more please ask! all help is a god send
thanks again in advanced
June 20th, 2002, 11:32 AM
draziw

Hmmm... well, you ask about IDS, but you give network specs (sort of).

Ideally, hosts should log to themselves and to a network location elsewhere (as a minimum).

As far as network IDS goes, well placement's a bit of a holy war... you still haven't indicated what you are planning on using, etc.
June 21st, 2002, 05:56 AM
HYBR|D

hmm snort, for the *ix based OS's and I havnt come accross many win32 IDS's, please i need all the help i can get with IDS's
June 21st, 2002, 06:11 AM
HYBR|D

hmm snort, for the *ix based OS's and I havnt come accross many win32 IDS's, please i need all the help i can get with IDS's
June 21st, 2002, 06:36 AM
draziw

Last I knew, putting Winblowz in to promiscuous mode kinda sucked... even ISS has a BSD appliance with an NT console (ie. the part doing the real work is on UN*X).
June 21st, 2002, 01:47 PM
nebulus200

Well, what you seem to be asking about is how to get all the logs in one place. I am not sure about the winblowz boxes, but the rest of the things you mentioned should all be able to write to a remote syslog server (which they really should be doing in the first place to protect logs/evidence).

As far as IDS goes, you would be well served by placing a NIDS at your internet connection. Easiest thing to do is get a simple box with plenty of memory and throw snort on it. It is free, it is fast, frequently updated, and is overall pretty damn good (drawback can be monitoring/database watching, although there are plenty of web based frontends that help with it pretty significantly).

Now to get to the original question, you could monitor both of what I have mentioned from anywhere you want; however, I would make sure to lock the access down tight to your remote IP and your remote IP only, otherwise you are inviting disaster (think of all the lovely information someone on the internet could see about your network/servers/accounts if they could browse your snort logs) :)

Hope that helps,

neb
June 22nd, 2002, 04:48 AM
HYBR|D

Thanks NEB well you have helped greatly i just have a few more questions. once this is set up, iand i get a message from the iDS how do i trace that ip to find who it is etc, and what they have been doing and where they have been i know its alot to ask but you seem to know what your talking about. I know all about whois and the rest but that will gimmi a ISP and thats it yes or no?

thanks again for your help
June 24th, 2002, 02:44 PM
nebulus200

Whois is all you need to know who was doing what. I recommend that you download and install snorth and its signatures, let it run for a while, and then keep checking what every event that shows up is. Snort (as well as others) will vividly describe what it sees and why it thinks its bad. Just remember, IDS boxes are just like AV software, they only detect 'known attack signatures'. They could, depending on how the filter is written, miss an attack that has been modified, or varients of the same attack. In other words, you will not be able to see everything that has been going on, but usually enough to know someone was up to no good...

neb
June 25th, 2002, 07:16 PM
IchNiSan

Well, if you set snort to log to syslog(for *nix), you can use swatch or logcheck to monitor the log and mail you under certain conditions.

It is possible to run snort on win32 platforms, binaries are available here

http://www.snort.org/dl/binaries/

Maybe there is a utility available for windows which could take care of the notification, I dont know.

Also, you could set snort to log to mysql, and find a script or something which will periodically check for new additions to the database, and mail those to you.

Also, there is something called ACID which is an analysis console for snort, basically a webpage, I suppose you could use that remotely, although Im not sure you would really want it set up that way as now your IDS box would have to make services available from the internet and that could lead to a compromised IDS box.
June 25th, 2002, 08:03 PM
nebulus200

There is also demarc (IMHO a little better/more user friendly) than acid and snortreport (never used it) for SNORT frontends (http://www.snort.org/dl/contrib/front_ends).

demarc was at one time (and I think still is) free for non-commercial use (same with acid). They are both basically http front ends and if you take the time to properly secure the server with access-lists/authentication/patches and restrict access at your firewall, it should be 'ok' to use.
June 25th, 2002, 08:27 PM
micael

Sorry for the short reply..

I found one tool for Windows/Snort in my mail yesterday and it may be worth checking out ?

IDScenter : Snort IDScenter is a GUI for Snort IDS on Windows platforms.

Remember that this is a beta and not a stable release, I would not recomend to put it in production without some thorough test first :).

~micael
June 26th, 2002, 11:22 AM
HYBR|D

Ta, so far so good, Ive got that snort control center and i use it for my pc at home it is very handy and btw Thanks to everybody for their help if anything else comes up please dont hesitate to post.

Regards HYBR|D