Snort mailing list archives
RE: PLEASE HELP HERE.
From: "Jim Hendrick" <jrhendri () maine rr com>
Date: Mon, 9 Feb 2004 04:54:31 -0500
Hi, I think the best advice I can give here is for you to plan to take some time and figure out the "best" answers for yourself. This is not a "cop out", and I am sure you will get a lot of excellent advice from others on this list. What I mean is that there are many good practices and excellent technical solutions for any IDS solution. What works "best" for me (or someone else) may not be even a "good" fit in your environment. As a first step, I would suggest that you start small. Implement a single sensor, perhaps on your own workstation or on an "extra" PC. Whether it is running Windows or UNIX is pretty irrelevant at this point. Use whatever you are most comfortable administering. Use this platform to gain experience about the number and type of alerts you see in your environment (give it a couple of weeks at *least* for you to become comfortable with what you are seeing). While this is running, use the time to research (google is your friend, so is www.snort.org) other possible "add ons" to help collect data from one or multiple sensors. Next implement a monitoring mechanism (ACID is pretty popular but even simple text logs can be effective if configured well). Take a bit of time working this out. At the same time, try monitoring different points in your topology. There are good cases for network taps, but certainly "port mirroring" on a switch is a viable solution. In smaller networks (less than 5 Mb/s maximum throughput as a quick rule of thumb) you might even be able to use a cheap "hub" spliced in-line where you want to monitor. Where you monitor depends on what you are trying to protect. Right "behind" your firewall is a good place to look for inbound attacks that *should be* stopped by the firewall. It is also a good place to look for outbound attacks that might indicate compromised internal machines. Also, if you have specific internal servers that contain critical resources, you might want to put an IDS so that it can see all access to/from those machines. As far as the administrative interface, I would simply ask that you think about risk vs. benefit. If you allow access from the Internet, what possible benefit will you have? Do you have another way to access the system? A VPN or other secured remote-access method available to you? If so, I would strongly recommend *against* making this system available on the Internet. The risks of someone being able to compromise it means they would have access to whatever (internal) network traffic the sensor could see. (read this last sentence again for full effect :-) Logging and reporting will vary according to how much traffic you see and what the "real" alerts are that you decide you need to watch for *in your environment*. (for a couple quick examples, if you do not run any web servers, you would not need to concern yourself *as much* with any web probes/attacks than if you had critical resources on web hosts, if you are not a SQL-Server shop, then SQL alerts would be less concerning to you, etc.) Good luck! Jim -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of vasanth b Sent: Sunday, February 08, 2004 10:00 PM To: snort-users () lists sourceforge net Cc: ravivsn () roc co in; pauls () utdallas edu; patrick () internetsecurityguru com Subject: [Snort-users] PLEASE HELP HERE. I will be implementing IDS using SNORT in our company network infrastructure and would be thankfull for some help.After going through all the documents found in snort.org.I have got some doubts in implementing Snort IDS. 1.REGARDING SENSORS: Is this sensors r taps compulsory.Can we use snort to monitor using span r mirror port in the switch.If sensor necessary where to get it and how to place it. And taps too i found different kinds of taps in the net so plz advice me in this regarding. 2.EVENT MONITORING - How to better configure the IDS NIC that will be acting as an admin interface, where I will be connecting for event information. Should I configure this interface with security to be accessed from the Internet or should I configure this interface to be accessed from the LAN via the firewall? 3.LOGS - Where should i store all the logs.Should i need a separate server to store all the logs.If not approximately how much space will be required. 4.REPORTING - What is the best way to centralize and access all event reporting? What is the best product to accomplish this? Please be kind to let me know if you have a better approach to any of this or if you have any other comments or suggestions. ADVANCE THANKS FOR ALL WHOEVER HELPS AND GIVES THEIR VALUABLE IDEAS. Regards, VASANTH.B _________________________________________________________________ Gifts for Him & Her. Valentine's Day. http://go.msnserver.com/IN/42197.asp At MSN Shopping. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- PLEASE HELP HERE. vasanth b (Feb 08)
- RE: PLEASE HELP HERE. Jim Hendrick (Feb 09)
- <Possible follow-ups>
- Re: PLEASE HELP HERE. M. Morgan (Feb 09)