Re: [gentoo-user] IDS

[rd]

NP, I understand, as I am a developer also.  Guess I just
have to make the time to hack on 'guardian' and get it to
work w/ iptables.

-later
rdg

--- SN <[EMAIL PROTECTED]> wrote:
> 
> - Original Message - 
> From: "rd" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, November 13, 2003 12:13 AM
> Subject: Re: [gentoo-user] IDS
> 
> 
> > What are you using to modify iptables after snort
> detects
> > something bad?
> >
> > With ipchains, I used to use 'guardian' (available from
> > link on snort web page), but have not updated it so it
> will
> > work with iptables yet.
> >
> > Is your work GPL?  I am sure many more experienced IDS
> > users would be interested.
> 
> Since I'm a professional perl programmer, I wrote a
> script for our company
> in perl that reads out snort logs and creates rules for
> iptables.
> But it ain't gpl, only for internal business, sorry.
> 
> >
> > -rdg
> >
> > --- SN <[EMAIL PROTECTED]> wrote:
> > > MessageIf it's a single maschine, then I'd suggest
> snort.
> > >
> > > But as I followed the thread, you don't seem to have
> ever
> > > worked with either snort or prelude, this is bad,
> gentoos
> > > preconfigured scripts suck, to get some out of it you
> > > will have to reconfigure a couple of things.. I have
> > > setup snort on several distros , but they usually had
> one
> > > thing in common a bad start configuration.
> > > I have written some additional scripts, that add
> better
> > > snort support for dialup users and I have added
> support
> > > for automatic blocking through iptables in  case
> snort
> > > detects critical attacks.
> > >
> > > The thing is as someone mentioned earlier, if you
> don't
> > > have a lot of knowledge of real attacks, network
> setup
> > > etc. and if you are not experienced with an ids all
> you
> > > will get is a load of information that you don't know
> how
> > > to interpret.
> > >   - Original Message - 
> > >   From: Chase Jeffery D
> > >   To: [EMAIL PROTECTED]
> > >   Sent: Monday, November 10, 2003 10:07 PM
> > >   Subject: RE: [gentoo-user] IDS
> > >
> > >
> > >   single machine.  This is going to be installed on
> my
> > > firewall machine..
> > >
> > >
> > > -Original Message-
> > > From: SN [mailto:[EMAIL PROTECTED]
> > > Sent: Monday, November 10, 2003 3:26 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: [gentoo-user] IDS
> > >
> > >
> > > Depends on your network, single machine or a
> whole
> > > set of machines?
> > >   - Original Message - 
> > >   From: Chase Jeffery D
> > >   To: [EMAIL PROTECTED]
> > >   Sent: Monday, November 10, 2003 7:48 PM
> > >   Subject: [gentoo-user] IDS
> > >
> > >
> > >   Hi everyone, Just wondering what Network
> intrusion
> > > detection software is the best.  I've heard the main
> two
> > > programs to use would be Snort or Prelude and am
> > > wondering which of the two gives you more
> > > flexibility(configuration) and better
> > > detection/reporting?
> > >
> > >   Thanks for your help,
> > >   Jeff
> > >
> >
> >
> > __
> > Do you Yahoo!?
> > Protect your identity with Yahoo! Mail AddressGuard
> > http://antispam.yahoo.com/whatsnewfree
> >
> > --
> > [EMAIL PROTECTED] mailing list
> >
> >
> 
> 
> --
> [EMAIL PROTECTED] mailing list
> 


__
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

--
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] IDS

[SN]

- Original Message - 
From: "rd" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 13, 2003 12:13 AM
Subject: Re: [gentoo-user] IDS


> What are you using to modify iptables after snort detects
> something bad?
>
> With ipchains, I used to use 'guardian' (available from
> link on snort web page), but have not updated it so it will
> work with iptables yet.
>
> Is your work GPL?  I am sure many more experienced IDS
> users would be interested.

Since I'm a professional perl programmer, I wrote a script for our company
in perl that reads out snort logs and creates rules for iptables.
But it ain't gpl, only for internal business, sorry.

>
> -rdg
>
> --- SN <[EMAIL PROTECTED]> wrote:
> > MessageIf it's a single maschine, then I'd suggest snort.
> >
> > But as I followed the thread, you don't seem to have ever
> > worked with either snort or prelude, this is bad, gentoos
> > preconfigured scripts suck, to get some out of it you
> > will have to reconfigure a couple of things.. I have
> > setup snort on several distros , but they usually had one
> > thing in common a bad start configuration.
> > I have written some additional scripts, that add better
> > snort support for dialup users and I have added support
> > for automatic blocking through iptables in  case snort
> > detects critical attacks.
> >
> > The thing is as someone mentioned earlier, if you don't
> > have a lot of knowledge of real attacks, network setup
> > etc. and if you are not experienced with an ids all you
> > will get is a load of information that you don't know how
> > to interpret.
> >   - Original Message - 
> >   From: Chase Jeffery D
> >   To: [EMAIL PROTECTED]
> >   Sent: Monday, November 10, 2003 10:07 PM
> >   Subject: RE: [gentoo-user] IDS
> >
> >
> >   single machine.  This is going to be installed on my
> > firewall machine..
> >
> >
> > -Original Message-
> > From: SN [mailto:[EMAIL PROTECTED]
> > Sent: Monday, November 10, 2003 3:26 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [gentoo-user] IDS
> >
> >
> > Depends on your network, single machine or a whole
> > set of machines?
> >   - Original Message - 
> >   From: Chase Jeffery D
> >   To: [EMAIL PROTECTED]
> >   Sent: Monday, November 10, 2003 7:48 PM
> >   Subject: [gentoo-user] IDS
> >
> >
> >   Hi everyone, Just wondering what Network intrusion
> > detection software is the best.  I've heard the main two
> > programs to use would be Snort or Prelude and am
> > wondering which of the two gives you more
> > flexibility(configuration) and better
> > detection/reporting?
> >
> >   Thanks for your help,
> >   Jeff
> >
>
>
> __
> Do you Yahoo!?
> Protect your identity with Yahoo! Mail AddressGuard
> http://antispam.yahoo.com/whatsnewfree
>
> --
> [EMAIL PROTECTED] mailing list
>
>


--
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] IDS

[rd]

What are you using to modify iptables after snort detects
something bad?

With ipchains, I used to use 'guardian' (available from
link on snort web page), but have not updated it so it will
work with iptables yet.

Is your work GPL?  I am sure many more experienced IDS
users would be interested.

-rdg

--- SN <[EMAIL PROTECTED]> wrote:
> MessageIf it's a single maschine, then I'd suggest snort.
> 
> But as I followed the thread, you don't seem to have ever
> worked with either snort or prelude, this is bad, gentoos
> preconfigured scripts suck, to get some out of it you
> will have to reconfigure a couple of things.. I have
> setup snort on several distros , but they usually had one
> thing in common a bad start configuration.
> I have written some additional scripts, that add better
> snort support for dialup users and I have added support
> for automatic blocking through iptables in  case snort
> detects critical attacks.
> 
> The thing is as someone mentioned earlier, if you don't
> have a lot of knowledge of real attacks, network setup
> etc. and if you are not experienced with an ids all you
> will get is a load of information that you don't know how
> to interpret.
>   - Original Message - 
>   From: Chase Jeffery D 
>   To: [EMAIL PROTECTED] 
>   Sent: Monday, November 10, 2003 10:07 PM
>   Subject: RE: [gentoo-user] IDS
> 
> 
>   single machine.  This is going to be installed on my
> firewall machine..
> 
> 
> -Original Message-
> From: SN [mailto:[EMAIL PROTECTED] 
> Sent: Monday, November 10, 2003 3:26 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [gentoo-user] IDS
> 
> 
> Depends on your network, single machine or a whole
> set of machines?
>   - Original Message - 
>   From: Chase Jeffery D 
>   To: [EMAIL PROTECTED] 
>   Sent: Monday, November 10, 2003 7:48 PM
>   Subject: [gentoo-user] IDS
> 
> 
>   Hi everyone, Just wondering what Network intrusion
> detection software is the best.  I've heard the main two
> programs to use would be Snort or Prelude and am
> wondering which of the two gives you more
> flexibility(configuration) and better
> detection/reporting?
> 
>   Thanks for your help, 
>   Jeff 
> 


__
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

--
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] IDS

[SN]

Title: Message



If it's a single maschine, then I'd suggest 
snort.
 
But as I followed the thread, you don't seem to 
have ever worked with either snort or prelude, this is bad, gentoos 
preconfigured scripts suck, to get some out of it you will have to reconfigure a 
couple of things.. I have setup snort on several distros , but they usually 
had one thing in common a bad start configuration.
I have written some additional scripts, that add 
better snort support for dialup users and I have added support for automatic 
blocking through iptables in  case snort detects critical 
attacks.
 
The thing is as someone mentioned earlier, if you 
don't have a lot of knowledge of real attacks, network setup etc. and if you are 
not experienced with an ids all you will get is a load of information that 
you don't know how to interpret.

  - Original Message - 
  From: 
  Chase Jeffery D 
  To: [EMAIL PROTECTED] 
  Sent: Monday, November 10, 2003 10:07 
  PM
  Subject: RE: [gentoo-user] IDS
  
  single machine.  This is going to be installed on my firewall 
  machine..
   
   
  

-Original Message-From: SN 
[mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 
3:26 PMTo: [EMAIL PROTECTED]Subject: 
Re: [gentoo-user] IDS
Depends on your network, single machine or a 
whole set of machines?

  - Original Message - 
  From: 
  Chase Jeffery D 
  To: [EMAIL PROTECTED] 
  Sent: Monday, November 10, 2003 7:48 
  PM
      Subject: [gentoo-user] IDS
  
  Hi everyone, Just wondering what Network 
  intrusion detection software is the best.  I've heard the main two 
  programs to use would be Snort or Prelude and am wondering which of the 
  two gives you more flexibility(configuration) and better 
  detection/reporting?Thanks for your 
  help,     Jeff 

Re: [gentoo-user] IDS

[Michael Boman]

On Tue, 2003-11-11 at 02:48, Chase Jeffery D wrote:
> Hi everyone, Just wondering what Network intrusion detection software
> is the best.  I've heard the main two programs to use would be Snort
> or Prelude and am wondering which of the two gives you more
> flexibility(configuration) and better detection/reporting?
> 
> Thanks for your help,
> Jeff

I find prelude generates more data (ie: more things to decide on if it's
something bad is really happening or if it's just a "hickup") then
snort. Prelude is also a architecture/framework so you can correlate IDS
data from NIDS, logs etc while snort is just a NIDS.

Stay tuned, I am expecting to put newer builds in portage this week.
Send me a ping privatly at [EMAIL PROTECTED] (or mboman on
irc.freenode.org, usually on #prelude, #gentoo-hardened, #gentoo-dev,
#snort and #snort-gui) if you want to become a pre-beta tester of my
ebuilds. Of course others are welcome to apply for the pre-beta post as
well ;)

Best regards
 Michael Boman

-- 
Michael Boman
Security Architect, SecureCiRT Pte Ltd
http://www.securecirt.com


signature.asc
Description: This is a digitally signed message part

RE: [gentoo-user] IDS

[Chase Jeffery D]

Thanks, It's more of a curiosity thing I guess.  Just would like to know
when I'm being hacked so that I Can take steps to make sure it doesn't
happen again  I think it would be a good trouble shooting tool..
Thanks for the reply. 

-Original Message-
From: Ric Messier [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 10, 2003 4:49 PM
To: [EMAIL PROTECTED]
Subject: RE: [gentoo-user] IDS




On Mon, 10 Nov 2003, Chase Jeffery D wrote:

> Just would like to see if/when someone is trying to hack me
>

So, what do you plan to do if/when someone tries to hack you? What sort
of 
rules are you interested in implementing?  Are you planning to do 
real-time monitoring of your IDS (you want it to page/send e-mail/ring 
bells, etc?) or are you planning to use it as a casual thing that you 
check periodically? 

Network IDS, particularly without a properly tuned ruleset tailored to 
your specific needs, can be overwhelmingly chatty or noisy -- in terms
of 
alerting. 

Speaking as someone who has been responsible for building IDS services
for 
a Tier 1 network back-bone for the last couple of years, I'm always a 
little skittish when people ask about network IDS. It's vastly
over-rated 
in terms of it's ability to provide decent security. As I asked above, 
what would you do if you learned that someone had tried to hack you? 
Unless you are someone special or use a lot of IRC, odds are you are
only 
going to see worm-related activity and an odd port scan or two. The 
Internet isn't nearly as interesting a place for hacking activities as 
folks would like you to believe. Unless you have something worth looking

at. 

Unless you have a clearly defined security policy (or idea what you are 
looking for) and this is more of the "curiosity" factor, then snort is a

very good product. You can also get DeMarc or Acid as consoles to look
to 
your heart's content at a lot of mostly uninteresting data. 

Thus endeth the rant. Back to your regularly scheduled programming. 

:-)


--
[EMAIL PROTECTED] mailing list


--
[EMAIL PROTECTED] mailing list

RE: [gentoo-user] IDS

[Ric Messier]

On Mon, 10 Nov 2003, Chase Jeffery D wrote:

> Just would like to see if/when someone is trying to hack me 
>

So, what do you plan to do if/when someone tries to hack you? What sort of 
rules are you interested in implementing?  Are you planning to do 
real-time monitoring of your IDS (you want it to page/send e-mail/ring 
bells, etc?) or are you planning to use it as a casual thing that you 
check periodically? 

Network IDS, particularly without a properly tuned ruleset tailored to 
your specific needs, can be overwhelmingly chatty or noisy -- in terms of 
alerting. 

Speaking as someone who has been responsible for building IDS services for 
a Tier 1 network back-bone for the last couple of years, I'm always a 
little skittish when people ask about network IDS. It's vastly over-rated 
in terms of it's ability to provide decent security. As I asked above, 
what would you do if you learned that someone had tried to hack you? 
Unless you are someone special or use a lot of IRC, odds are you are only 
going to see worm-related activity and an odd port scan or two. The 
Internet isn't nearly as interesting a place for hacking activities as 
folks would like you to believe. Unless you have something worth looking 
at. 

Unless you have a clearly defined security policy (or idea what you are 
looking for) and this is more of the "curiosity" factor, then snort is a 
very good product. You can also get DeMarc or Acid as consoles to look to 
your heart's content at a lot of mostly uninteresting data. 

Thus endeth the rant. Back to your regularly scheduled programming. 

:-)


--
[EMAIL PROTECTED] mailing list

RE: [gentoo-user] IDS

[Chase Jeffery D]

Just would like to see if/when someone is trying to hack me 

Jeff


-Original Message-
From: Ric Messier [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 10, 2003 4:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [gentoo-user] IDS




On Mon, 10 Nov 2003, Chase Jeffery D wrote:

> single machine.  This is going to be installed on my firewall 
> machine..
>  
>

What's your goal in installing a network IDS? 

Ric


--
[EMAIL PROTECTED] mailing list


--
[EMAIL PROTECTED] mailing list

RE: [gentoo-user] IDS

[Ric Messier]

On Mon, 10 Nov 2003, Chase Jeffery D wrote:

> single machine.  This is going to be installed on my firewall
> machine..
>  
>

What's your goal in installing a network IDS? 

Ric


--
[EMAIL PROTECTED] mailing list

RE: [gentoo-user] IDS

[Chase Jeffery D]

Title: Message



single 
machine.  This is going to be installed on my firewall 
machine..
 
 

  
  -Original Message-From: SN 
  [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 
  3:26 PMTo: [EMAIL PROTECTED]Subject: Re: 
  [gentoo-user] IDS
  Depends on your network, single machine or a 
  whole set of machines?
  
- Original Message - 
From: 
Chase Jeffery D 
To: [EMAIL PROTECTED] 
Sent: Monday, November 10, 2003 7:48 
PM
Subject: [gentoo-user] IDS

Hi everyone, Just wondering what Network 
intrusion detection software is the best.  I've heard the main two 
programs to use would be Snort or Prelude and am wondering which of the two 
gives you more flexibility(configuration) and better 
detection/reporting?Thanks for your 
help,     Jeff 

Re: [gentoo-user] IDS

[SN]

Title: IDS



Depends on your network, single machine or a whole 
set of machines?

  - Original Message - 
  From: 
  Chase Jeffery D 
  To: [EMAIL PROTECTED] 
  Sent: Monday, November 10, 2003 7:48 
  PM
  Subject: [gentoo-user] IDS
  
  Hi everyone, Just wondering what Network intrusion 
  detection software is the best.  I've heard the main two programs to use 
  would be Snort or Prelude and am wondering which of the two gives you more 
  flexibility(configuration) and better detection/reporting?Thanks for your help, 
      Jeff 

[gentoo-user] IDS

[Chase Jeffery D]

Title: IDS






Hi everyone, Just wondering what Network intrusion detection software is the best.  I've heard the main two programs to use would be Snort or Prelude and am wondering which of the two gives you more flexibility(configuration) and better detection/reporting?


Thanks for your help,

    Jeff