Snort mailing list archives

Re: snort as HIDS

From: Luke Ager <luke.ager () me com>
Date: Wed, 06 Jul 2016 22:41:53 +0100

Although I can see your angle, it really isn't a HIDS.
As Charles says, achieving integrity on top of the HIDS function would be difficult without some sort of agent 
performing FIM on the log location. You're also going to be running multiple instances of SNORT which won't be very 
easy to centrally manage from a HIDS perspective. 

Also surprised to see a DOD contractor revealing security architecture so openly. 


Sent from my iPhone

On 6 Jul 2016, at 22:25, Lamont, Brian A. <Brian.Lamont () gd-ms com> wrote:

Its “configured” to sniff the local interface with just a community.rules file defined.    I may have been misled 
that we are using it as a “HIDs”, but perhaps it’s not really doing that.   The initial evaluation and decision to 
implement was done by another team.
 
 
 
Brian Lamont
Unix Systems Admin
 
<image001.jpg>
Desk:  480 586-9986
Cell:     480 209-8751
brian.lamont () gd-ms com
 
This message and/or attachments may include information subject to GD Corporate Policies 07-103 and 07-105 and is 
intended to be accessed only by authorized recipients.  Use, storage and transmission are governed by General 
Dynamics and its policies. Contractual restrictions apply to third parties.  Recipients should refer to the policies 
or contract to determine proper handling.  Unauthorized review, use, disclosure or distribution is prohibited.  If 
you are not an intended recipient, please contact the sender and destroy all copies of the original message.
 
 
From: Davison, Charles Robert [mailto:cdaviso1 () vols utk edu] 
Sent: Wednesday, July 06, 2016 2:18 PM
To: Lamont, Brian A.; snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort as HIDS
 
Brian,
 
You really should look to something else as a HIDS, like:
 
http://www.la-samhna.de/samhain/
https://ossec.github.io/
 
Snort is specifically a NIDS and should be used as such. You won't be able to do FIM or log collection. I came into 
an AWS environment where they used snort as a HIDS Only for the fact that it checked a box for PCI. That same 
environment ended up switching to Samhain as a HIDS and funneled all the traffic in a VPC through snort as a NIDS. 
Hope fully this helps.

Get Outlook for iOS
 
_____________________________
From: Lamont, Brian A. <brian.lamont () gd-ms com>
Sent: Wednesday, July 6, 2016 2:35 PM
Subject: [Snort-users] snort as HIDS
To: <snort-users () lists sourceforge net>



We have a very basic configuration of snort deployed across our linux/unix systems, and we are being told that snort 
is not host intrustion tool, although that is what we have configured it to be.    Could I get an argument that 
supports the use of Snort on Linux/Solaris as a host intrustion tool, any supporting names of the features, software, 
etc. that prove its use as a HIDS?
 
Thank you!
 
 
Brian Lamont
Unix Systems Admin
 
<image001.jpg>
Desk:  480 586-9986
Cell:     480 209-8751
brian.lamont () gd-ms com
 
This message and/or attachments may include information subject to GD Corporate Policies 07-103 and 07-105 and is 
intended to be accessed only by authorized recipients.  Use, storage and transmission are governed by General 
Dynamics and its policies. Contractual restrictions apply to third parties.  Recipients should refer to the policies 
or contract to determine proper handling.  Unauthorized review, use, disclosure or distribution is prohibited.  If 
you are not an intended recipient, please contact the sender and destroy all copies of the original message.
 
 
 

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

snort as HIDS Lamont, Brian A. (Jul 06)
- Re: snort as HIDS Davison, Charles Robert (Jul 06)
  - Re: snort as HIDS Lamont, Brian A. (Jul 06)
    - Re: snort as HIDS Luke Ager (Jul 06)
    - Re: snort as HIDS wkitty42 (Jul 07)
    - Re: snort as HIDS Rodgers, Anthony (DTMB) (Jul 20)
- Re: snort as HIDS Da Beave (Jul 20)