Although, keep in mind, Snort completely fails the CRI test, and does
horrible TCP reassembly, let alone SMB or MSRPC reassembly. It just
isn't up to the job of detecting an attacker who's gone to some work to
bypass this sort of thing.
Dave Aitel
Immunity, Inc.
Harper, Patrick wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Snort is a good option (in my opinion) for any size business. The
larger the deployment the better you need to be at using it. The box
your running now for your gateway might be a little light for the
job, you might want to look at a faster system but you do not need a
fast server or anything for a deployment your size.
Remember IDS's require tuning, out of the box they are all pretty
much useless because they will just overload you with info that does
not matter and you will either stop watching or uninstall it because
you think it is useless. Tune the rule set for your deployment. If
your running an IIS server internally then you do not need the apache
rules. If you are an oracle shop then you do not need most of the MS
SQL rules. Learn how to threshold and suppress as needed.
There are several good books out on snort. The Syngress book is
written by people that know Snort inside and out like Brian Caswell.
http://www.bookpool.com/.x/pizrqesaor/sm/1931836744
Hope that helps, I am a little biased to the snort side of the world
but that is only because it has done me well for so long.
- -----Original Message-----
From: Andrey Todorov [mailto:andreyt@gawab.com]
Sent: Friday, December 24, 2004 9:08 AM
To: focus-ids@securityfocus.com
Subject: newbie quetsions
Hi People,
I tried several times to subscribe myself to "Security Basics"
mailing
list to ask my questions, but didn't succeed. Excuse me if my
questions
aren't adequate to "Focus IDS" mailing list!
I'll be very gratefull if you share your opinion with me for the
following situation. I have small network (5 PCs) behind one Linux
box
(iptables firewall , Pentium I 166Mhz, 32MB RAM, 4GB HDD) and want to
increase security for this network.
1. Do I need IDS?
2. What do you think about Snort? Can I find easy maintainable
free/opensource IDS then Snort?
3. What IDS literature should I read?
Thank you in advance!
Andrey
- ----------------------------------------------------------------------
- ----
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks
from
CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
- ----------------------------------------------------------------------
- ----
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQdF3kJiWafDb7+B/EQI6tgCfV2rP2l2PUMxHzj2XSK/d/ncQB94AoOW1
2fp7hsiFLetlfReGfdqt1r+m
=LBep
-----END PGP SIGNATURE-----
Disclaimer:
This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately.
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
