Re: What makes a complete IDS package?

["Edward Fjellskål" <edwardfjellskaal () gmail com>]

For what it is worth...

If you look at the IDS as if you where to buy it as an commercial
appliance, you would want at least to have something like this:

* An easy way to upgrade the OS (/Firmware).
* An easy way to upgrade the IDS/IPS engine
* An easy way to update rules
* An easy way to tune rules/policies
* A way to do user/group management
* A way to query the appliance for status (SNMP etc.)
* A way to get syslog data
* A way to protect the appliance (Firewall and Integrity checking)
* A way to easy replace/restore it from backup
* A way to see trend graphing and system health.
* One good GUI to do all this in... :)
* And reports for the guys up stairs.... :)

I have yet to find any silver bullets in the free and open
world. Thats why I use parts that exists...

I commonly use (but this is more than just IDS):
* Ubuntu LTS for OS
* OSSEC for integrity checking+++
* Nagios for system health and alert
* Munin for trend graphing
* Oinkmaster/Pulledp0rk/Homebrewed for rules
* I update my IDS packages my self :)
* VRT and ET rules + homebrew

I also use Sguil, with the stack that that brings...
* Snort/Suricata
* PADS(And PRADS from today!!)
* daemonlogger
* cxtracker

At the moment I use snort for IDS/IPS, suricata for HTTP/proxy logs.
I use PRADS for making host_attribute.xml file for snort and also
for having control over my inventory/assets. cxtracker for sessions,
and daemonlogger for pcap. I have used PADS in sguil for gathering
some quick info about hosts, but PRADS on the sensors for more
deep insight into my network and for snort auto tuning.
(PRADS in git today has a way (beta) to replace PADS)

In the future Im looking for passive-dns also.
(http://www.enyo.de/fw/software/dnslogger/) as I see it has great
value too my Network Security Monitoring stack.


E

On 03/18/2011 01:38 PM, James Lay wrote:
> So…..topic says it all.  We all know Snort in and of itself isn't what
> say…a CEO would call a complete IDS package.  That being said, what
> addons are really required, to you, to make it so?  As much as I loath
> the LAMP environment, it seems like that's pretty much the only option
> if you want reporting.  I'm currently using snortalog (modified since
> it's old) from syslog, and oinkmaster…what else is there besides LAMP
> above?  I know there's barnyard2 for piping unified to mysql, but to be
> honest, the less processes I have running on my IDS, the better in my
> mind.  Can anyone add to my list below?  Thanks for anything you can add.
>
> Reporting:
> LAMP, Barnyard2 &
> Base
> Sguil
> Snorby
>
> Rules management:
> Oinkmaster
> Pulled pork
>
>
>
> ------------------------------------------------------------------------------
> Colocation vs. Managed Hosting
> A question and answer guide to determining the best fit
> for your organization - today and in the future.
> http://p.sf.net/sfu/internap-sfd2d
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users