Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: New to Snort !!!

from [Justin . Ross] Network Security [Permanent Link]
Subject: Re: New to Snort !!!
Date: Tue, 31 May 2005 16:08:54 -0700 
There's really two schools of thought on where to place an IDS, one is 
external, the other is internal; in a perfect world you'll want to cover 
both and diff the logs (to see what made it through and what didn't).

I agree that for testing (perfomance and functionality) and fun you should 
place your IDS on the "outer-most network device"; however, if you are 
constrained by budget/time and can only place one IDS, my advice would be 
to place it inside your edge device, or behind your firewall. You won't 
see external attacks to your firewall, but you will see how/what attacks 
are coming through your edge and into your "trusted" network, and really 
your firewall should be dropping all packets that have the firewall IP 
address as a destination. That's just my opinion but I think you will get 
the most bang for your buck if you see what makes it through to your 
network not just what exists on the Internet. 

By the way, let me tell you how annoying it is to go to the network 
support staff and show them logs of fruitless/mis-targetted/blocked 
attacks and have them say "yeah yeah..  our firewall blocked that... now 
tell us something we don't know." I'd rather show them what their firewall 
is letting through and leverage that to fix the issues/vulnerabilities 
that effect your network. 

There are tons of online references to find out more about Snort and 
Intrusion Detection in general. I really have to recommend the following: 
Snort 2.0 Intrusion Detection or Snort 2.1 Intrusion detection Second 
Edition from Syngress. It's written by Snort developers and it gives a 
great overview of IDS (in my opinion) as well as takes you into the nuts 
and bolts of Snort, pre-processing, optimizing, and it covers reporting 
too. I would have to rate it as a "must have" for you, in your situation. 
I would also recommend Network Intrusion Detection, An Analyst Handbook by 
New Riders - it's an oldie but a goody that gives great general advice on 
analyzing attacks. 

Googling for Overview of Intrusion Detection, Intrusion detection 
anomalies, and Intrusion Detection system deployment  should give you a 
lot of material for the more generalized background and foundational 
knowledge you should become familiar with. You made a good choice with 
Snort, but now you need to learn why, what the differences are between it 
and other IDS's, and how you can apply those differences to your 
advantage, as well as how to make the system better.

You didn't choose the most noobie friendly IDS, but you certainly picked 
one of the most powerful and customizable.

Good luck!

Justin Ross
MCP+I, MCSE, CCNA, CCSA, CCSE
Senior Network Security Engineer
Signal Solutions Inc.    -   http://www.signalcorp.com
Email: Justin.Ross-at-signalsolutionsinc.com





Joel Esler <eslerj@gmail.com> 
05/28/2005 10:14 AM
Please respond to
Joel Esler <eslerj@gmail.com>


To
Venkatesh G S <venkatesh.gs@gmail.com>
cc
Security Focus IDS Forum <focus-ids@securityfocus.com>
Subject
Re: New to Snort !!!






What's your questions?

Snort should be placed on your outer-most network device on a "SPAN"
or "Mirrored" port.

Snort should be installed on a Linux platform.  The Windows version
(as far as I know) tends to drop more packets.  Maybe someone can
correct me.

A better place to submit your questions is on the snort-users listserv..

Look it up at www.snort.org

Joel

On 5/24/05, Venkatesh G S <venkatesh.gs@gmail.com> wrote:

Hi all,

      I am a new member to this group & i am sure i will get your
valuable suggestion for my problem.
     I work for an organization where we have almost all the latest
devices in place, which includes L3 Switches, VOIP,High end server &
etc. We have around 1500 desktops & this is a production environment.

My problem

i) My network manager wants me to suggest an IDS, and i googled
yesterday i recommened him - Snort.
ii) I am quite new to IDS and i haven't done even a single
installation of Snort till now.

Can anyone let me know the features of Snort, where this sensor should
be placed in the Network?. Plz dont think that i am not doing my
homework.i have already started to collect information from Snort.org
but i find it a little to difficult to undersatnd the concept.

I need help in how to install Snort?. Finally are there any windows
edition of Snort avaliable.

Regards

Venkatesh


--
The impossible is often untried.



--------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.


--------------------------------------------------------------------------






-- 
Joel Esler
BASE Project Lead
http://sourceforge.net/projects/secureideas

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Snort on Gigabit [was Re: IDS\IPS that can handle one Gig], Jason
Next by Date:  Testing IDS?, Wilmar SULAIMAN
Previous by Thread:  RE: New to Snort !!!, Eric Hines
Next by Thread:  Re: New to Snort !!!, Doug . Janelle
Indexes:  [Date] [Thread] [Top] [All Lists]