Re: [gentoo-user] IDS
NP, I understand, as I am a developer also. Guess I just have to make the time to hack on 'guardian' and get it to work w/ iptables. -later rdg --- SN <[EMAIL PROTECTED]> wrote: > > - Original Message - > From: "rd" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, November 13, 2003 12:13 AM > Subject: Re: [gentoo-user] IDS > > > > What are you using to modify iptables after snort > detects > > something bad? > > > > With ipchains, I used to use 'guardian' (available from > > link on snort web page), but have not updated it so it > will > > work with iptables yet. > > > > Is your work GPL? I am sure many more experienced IDS > > users would be interested. > > Since I'm a professional perl programmer, I wrote a > script for our company > in perl that reads out snort logs and creates rules for > iptables. > But it ain't gpl, only for internal business, sorry. > > > > > -rdg > > > > --- SN <[EMAIL PROTECTED]> wrote: > > > MessageIf it's a single maschine, then I'd suggest > snort. > > > > > > But as I followed the thread, you don't seem to have > ever > > > worked with either snort or prelude, this is bad, > gentoos > > > preconfigured scripts suck, to get some out of it you > > > will have to reconfigure a couple of things.. I have > > > setup snort on several distros , but they usually had > one > > > thing in common a bad start configuration. > > > I have written some additional scripts, that add > better > > > snort support for dialup users and I have added > support > > > for automatic blocking through iptables in case > snort > > > detects critical attacks. > > > > > > The thing is as someone mentioned earlier, if you > don't > > > have a lot of knowledge of real attacks, network > setup > > > etc. and if you are not experienced with an ids all > you > > > will get is a load of information that you don't know > how > > > to interpret. > > > - Original Message - > > > From: Chase Jeffery D > > > To: [EMAIL PROTECTED] > > > Sent: Monday, November 10, 2003 10:07 PM > > > Subject: RE: [gentoo-user] IDS > > > > > > > > > single machine. This is going to be installed on > my > > > firewall machine.. > > > > > > > > > -Original Message- > > > From: SN [mailto:[EMAIL PROTECTED] > > > Sent: Monday, November 10, 2003 3:26 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [gentoo-user] IDS > > > > > > > > > Depends on your network, single machine or a > whole > > > set of machines? > > > - Original Message - > > > From: Chase Jeffery D > > > To: [EMAIL PROTECTED] > > > Sent: Monday, November 10, 2003 7:48 PM > > > Subject: [gentoo-user] IDS > > > > > > > > > Hi everyone, Just wondering what Network > intrusion > > > detection software is the best. I've heard the main > two > > > programs to use would be Snort or Prelude and am > > > wondering which of the two gives you more > > > flexibility(configuration) and better > > > detection/reporting? > > > > > > Thanks for your help, > > > Jeff > > > > > > > > > __ > > Do you Yahoo!? > > Protect your identity with Yahoo! Mail AddressGuard > > http://antispam.yahoo.com/whatsnewfree > > > > -- > > [EMAIL PROTECTED] mailing list > > > > > > > -- > [EMAIL PROTECTED] mailing list > __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] IDS
- Original Message - From: "rd" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 13, 2003 12:13 AM Subject: Re: [gentoo-user] IDS > What are you using to modify iptables after snort detects > something bad? > > With ipchains, I used to use 'guardian' (available from > link on snort web page), but have not updated it so it will > work with iptables yet. > > Is your work GPL? I am sure many more experienced IDS > users would be interested. Since I'm a professional perl programmer, I wrote a script for our company in perl that reads out snort logs and creates rules for iptables. But it ain't gpl, only for internal business, sorry. > > -rdg > > --- SN <[EMAIL PROTECTED]> wrote: > > MessageIf it's a single maschine, then I'd suggest snort. > > > > But as I followed the thread, you don't seem to have ever > > worked with either snort or prelude, this is bad, gentoos > > preconfigured scripts suck, to get some out of it you > > will have to reconfigure a couple of things.. I have > > setup snort on several distros , but they usually had one > > thing in common a bad start configuration. > > I have written some additional scripts, that add better > > snort support for dialup users and I have added support > > for automatic blocking through iptables in case snort > > detects critical attacks. > > > > The thing is as someone mentioned earlier, if you don't > > have a lot of knowledge of real attacks, network setup > > etc. and if you are not experienced with an ids all you > > will get is a load of information that you don't know how > > to interpret. > > - Original Message - > > From: Chase Jeffery D > > To: [EMAIL PROTECTED] > > Sent: Monday, November 10, 2003 10:07 PM > > Subject: RE: [gentoo-user] IDS > > > > > > single machine. This is going to be installed on my > > firewall machine.. > > > > > > -Original Message- > > From: SN [mailto:[EMAIL PROTECTED] > > Sent: Monday, November 10, 2003 3:26 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [gentoo-user] IDS > > > > > > Depends on your network, single machine or a whole > > set of machines? > > - Original Message - > > From: Chase Jeffery D > > To: [EMAIL PROTECTED] > > Sent: Monday, November 10, 2003 7:48 PM > > Subject: [gentoo-user] IDS > > > > > > Hi everyone, Just wondering what Network intrusion > > detection software is the best. I've heard the main two > > programs to use would be Snort or Prelude and am > > wondering which of the two gives you more > > flexibility(configuration) and better > > detection/reporting? > > > > Thanks for your help, > > Jeff > > > > > __ > Do you Yahoo!? > Protect your identity with Yahoo! Mail AddressGuard > http://antispam.yahoo.com/whatsnewfree > > -- > [EMAIL PROTECTED] mailing list > > -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] IDS
What are you using to modify iptables after snort detects something bad? With ipchains, I used to use 'guardian' (available from link on snort web page), but have not updated it so it will work with iptables yet. Is your work GPL? I am sure many more experienced IDS users would be interested. -rdg --- SN <[EMAIL PROTECTED]> wrote: > MessageIf it's a single maschine, then I'd suggest snort. > > But as I followed the thread, you don't seem to have ever > worked with either snort or prelude, this is bad, gentoos > preconfigured scripts suck, to get some out of it you > will have to reconfigure a couple of things.. I have > setup snort on several distros , but they usually had one > thing in common a bad start configuration. > I have written some additional scripts, that add better > snort support for dialup users and I have added support > for automatic blocking through iptables in case snort > detects critical attacks. > > The thing is as someone mentioned earlier, if you don't > have a lot of knowledge of real attacks, network setup > etc. and if you are not experienced with an ids all you > will get is a load of information that you don't know how > to interpret. > - Original Message - > From: Chase Jeffery D > To: [EMAIL PROTECTED] > Sent: Monday, November 10, 2003 10:07 PM > Subject: RE: [gentoo-user] IDS > > > single machine. This is going to be installed on my > firewall machine.. > > > -Original Message- > From: SN [mailto:[EMAIL PROTECTED] > Sent: Monday, November 10, 2003 3:26 PM > To: [EMAIL PROTECTED] > Subject: Re: [gentoo-user] IDS > > > Depends on your network, single machine or a whole > set of machines? > - Original Message - > From: Chase Jeffery D > To: [EMAIL PROTECTED] > Sent: Monday, November 10, 2003 7:48 PM > Subject: [gentoo-user] IDS > > > Hi everyone, Just wondering what Network intrusion > detection software is the best. I've heard the main two > programs to use would be Snort or Prelude and am > wondering which of the two gives you more > flexibility(configuration) and better > detection/reporting? > > Thanks for your help, > Jeff > __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] IDS
Title: Message If it's a single maschine, then I'd suggest snort. But as I followed the thread, you don't seem to have ever worked with either snort or prelude, this is bad, gentoos preconfigured scripts suck, to get some out of it you will have to reconfigure a couple of things.. I have setup snort on several distros , but they usually had one thing in common a bad start configuration. I have written some additional scripts, that add better snort support for dialup users and I have added support for automatic blocking through iptables in case snort detects critical attacks. The thing is as someone mentioned earlier, if you don't have a lot of knowledge of real attacks, network setup etc. and if you are not experienced with an ids all you will get is a load of information that you don't know how to interpret. - Original Message - From: Chase Jeffery D To: [EMAIL PROTECTED] Sent: Monday, November 10, 2003 10:07 PM Subject: RE: [gentoo-user] IDS single machine. This is going to be installed on my firewall machine.. -Original Message-From: SN [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 3:26 PMTo: [EMAIL PROTECTED]Subject: Re: [gentoo-user] IDS Depends on your network, single machine or a whole set of machines? - Original Message - From: Chase Jeffery D To: [EMAIL PROTECTED] Sent: Monday, November 10, 2003 7:48 PM Subject: [gentoo-user] IDS Hi everyone, Just wondering what Network intrusion detection software is the best. I've heard the main two programs to use would be Snort or Prelude and am wondering which of the two gives you more flexibility(configuration) and better detection/reporting?Thanks for your help, Jeff
Re: [gentoo-user] IDS
On Tue, 2003-11-11 at 02:48, Chase Jeffery D wrote: > Hi everyone, Just wondering what Network intrusion detection software > is the best. I've heard the main two programs to use would be Snort > or Prelude and am wondering which of the two gives you more > flexibility(configuration) and better detection/reporting? > > Thanks for your help, > Jeff I find prelude generates more data (ie: more things to decide on if it's something bad is really happening or if it's just a "hickup") then snort. Prelude is also a architecture/framework so you can correlate IDS data from NIDS, logs etc while snort is just a NIDS. Stay tuned, I am expecting to put newer builds in portage this week. Send me a ping privatly at [EMAIL PROTECTED] (or mboman on irc.freenode.org, usually on #prelude, #gentoo-hardened, #gentoo-dev, #snort and #snort-gui) if you want to become a pre-beta tester of my ebuilds. Of course others are welcome to apply for the pre-beta post as well ;) Best regards Michael Boman -- Michael Boman Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com signature.asc Description: This is a digitally signed message part
RE: [gentoo-user] IDS
Thanks, It's more of a curiosity thing I guess. Just would like to know when I'm being hacked so that I Can take steps to make sure it doesn't happen again I think it would be a good trouble shooting tool.. Thanks for the reply. -Original Message- From: Ric Messier [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 4:49 PM To: [EMAIL PROTECTED] Subject: RE: [gentoo-user] IDS On Mon, 10 Nov 2003, Chase Jeffery D wrote: > Just would like to see if/when someone is trying to hack me > So, what do you plan to do if/when someone tries to hack you? What sort of rules are you interested in implementing? Are you planning to do real-time monitoring of your IDS (you want it to page/send e-mail/ring bells, etc?) or are you planning to use it as a casual thing that you check periodically? Network IDS, particularly without a properly tuned ruleset tailored to your specific needs, can be overwhelmingly chatty or noisy -- in terms of alerting. Speaking as someone who has been responsible for building IDS services for a Tier 1 network back-bone for the last couple of years, I'm always a little skittish when people ask about network IDS. It's vastly over-rated in terms of it's ability to provide decent security. As I asked above, what would you do if you learned that someone had tried to hack you? Unless you are someone special or use a lot of IRC, odds are you are only going to see worm-related activity and an odd port scan or two. The Internet isn't nearly as interesting a place for hacking activities as folks would like you to believe. Unless you have something worth looking at. Unless you have a clearly defined security policy (or idea what you are looking for) and this is more of the "curiosity" factor, then snort is a very good product. You can also get DeMarc or Acid as consoles to look to your heart's content at a lot of mostly uninteresting data. Thus endeth the rant. Back to your regularly scheduled programming. :-) -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] IDS
On Mon, 10 Nov 2003, Chase Jeffery D wrote: > Just would like to see if/when someone is trying to hack me > So, what do you plan to do if/when someone tries to hack you? What sort of rules are you interested in implementing? Are you planning to do real-time monitoring of your IDS (you want it to page/send e-mail/ring bells, etc?) or are you planning to use it as a casual thing that you check periodically? Network IDS, particularly without a properly tuned ruleset tailored to your specific needs, can be overwhelmingly chatty or noisy -- in terms of alerting. Speaking as someone who has been responsible for building IDS services for a Tier 1 network back-bone for the last couple of years, I'm always a little skittish when people ask about network IDS. It's vastly over-rated in terms of it's ability to provide decent security. As I asked above, what would you do if you learned that someone had tried to hack you? Unless you are someone special or use a lot of IRC, odds are you are only going to see worm-related activity and an odd port scan or two. The Internet isn't nearly as interesting a place for hacking activities as folks would like you to believe. Unless you have something worth looking at. Unless you have a clearly defined security policy (or idea what you are looking for) and this is more of the "curiosity" factor, then snort is a very good product. You can also get DeMarc or Acid as consoles to look to your heart's content at a lot of mostly uninteresting data. Thus endeth the rant. Back to your regularly scheduled programming. :-) -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] IDS
Just would like to see if/when someone is trying to hack me Jeff -Original Message- From: Ric Messier [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 4:23 PM To: [EMAIL PROTECTED] Subject: RE: [gentoo-user] IDS On Mon, 10 Nov 2003, Chase Jeffery D wrote: > single machine. This is going to be installed on my firewall > machine.. > > What's your goal in installing a network IDS? Ric -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] IDS
On Mon, 10 Nov 2003, Chase Jeffery D wrote: > single machine. This is going to be installed on my firewall > machine.. > > What's your goal in installing a network IDS? Ric -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] IDS
Title: Message single machine. This is going to be installed on my firewall machine.. -Original Message-From: SN [mailto:[EMAIL PROTECTED] Sent: Monday, November 10, 2003 3:26 PMTo: [EMAIL PROTECTED]Subject: Re: [gentoo-user] IDS Depends on your network, single machine or a whole set of machines? - Original Message - From: Chase Jeffery D To: [EMAIL PROTECTED] Sent: Monday, November 10, 2003 7:48 PM Subject: [gentoo-user] IDS Hi everyone, Just wondering what Network intrusion detection software is the best. I've heard the main two programs to use would be Snort or Prelude and am wondering which of the two gives you more flexibility(configuration) and better detection/reporting?Thanks for your help, Jeff
Re: [gentoo-user] IDS
Title: IDS Depends on your network, single machine or a whole set of machines? - Original Message - From: Chase Jeffery D To: [EMAIL PROTECTED] Sent: Monday, November 10, 2003 7:48 PM Subject: [gentoo-user] IDS Hi everyone, Just wondering what Network intrusion detection software is the best. I've heard the main two programs to use would be Snort or Prelude and am wondering which of the two gives you more flexibility(configuration) and better detection/reporting?Thanks for your help, Jeff
[gentoo-user] IDS
Title: IDS Hi everyone, Just wondering what Network intrusion detection software is the best. I've heard the main two programs to use would be Snort or Prelude and am wondering which of the two gives you more flexibility(configuration) and better detection/reporting? Thanks for your help, Jeff