Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Configuring Snort as a HIDS

from [Seth] Network Security [Permanent Link]
Subject: Re: [Snort-users] Configuring Snort as a HIDS
Date: Tue, 4 Dec 2007 13:47:25 -0500 
Home_net -> server IP
External_net -> !$HOME_NET

What kind of services does the machine offer? You can probably eliminate
most of the .rules files and only include the ones necessary for your
specific server.

Same goes for preproccessors.  No need for the telnet_ftp preproccessor if
you are installing snort directly on a web server that will never do any
telnet or ftp.

Just know that the types of alerts you will get from snort on a single
server, are entirely different than a true HIDS.  Something like OSSEC by
Daniel Cid might be what you are really looking for.   By industry standard,
HIPS are more concerned with file integrity and system log parsing on the
actual server (ie: apache, firewall, messages, etc).  Snort, even when it is
run on a single server, is more concerned with network based attacks.

Remember also that if the server you install snort on sees alot of traffic,
snort will be stealing alot of CPU and memory away from the service you are
offering.

Regards,

Seth






On Dec 4, 2007 1:21 PM, Kaplan, Andrew H. <AHKAPLAN@partners.org> wrote:


 Hi there –



I have installed the prepackaged snort application, version 2.7, on a
server running Fedora Core 7. My plan is to run the application

as a HIDS. Is there a recommended configuration that I should set up to
accomplish this?

The information transmitted in this electronic communication is intended only
for the person or entity to whom it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or other
use of or taking of any action in reliance upon this information by persons or
entities other than the intended recipient is prohibited. If you received this
information in error, please contact the Compliance HelpLine at 800-856-1983 
and
properly dispose of this information.




-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] Configuring Snort as a HIDS, Kaplan, Andrew H.
Next by Date:  Re: [Snort-users] Configuring Snort as a HIDS, Jason Haar
Previous by Thread:  [Snort-users] Configuring Snort as a HIDS, Kaplan, Andrew H.
Next by Thread:  Re: [Snort-users] Configuring Snort as a HIDS, Jason Haar
Indexes:  [Date] [Thread] [Top] [All Lists]