Re: NIDS on OpenBSD
I added this : in pf.conf ... table black persist file /etc/black ... block quick from black ... Added to crontab pfctl -t black -T add $(cat /var/log/alert | awk '{print $6}') What do you think about that ? Perhaps, you have easiest way to do it ? Now i'm looking for a small web monitor to view alerts provided by scanlogd. Any idea ? cheers, Wesley. On Wed, 19 Oct 2011 09:31:35 +0400, Wesley M. open...@e-solutions.re wrote: Hi, I use OpenBSD 4.9, i'm looking for a good nids. I found scanlogd in ports, works very well. But is there a way to work this last one with pf ? For example add the ip-address detected by scanlogd to a Blacklist table ? Also, is there a way to have a web monitor to view alert? Perhaps, you use something else ... what ? ;-) snort ? Thank you very much ! All the best, Wesley.
Re: NIDS on OpenBSD
I think it is bad practice to use something that's not even in the base, when you have the feature in pf readily available. pass in on vr0 inet proto tcp from any to (vr0) port ssh keep state \ (max-src-conn-rate 1/60, overload badhosts flush global) On Wed, 19 Oct 2011 10:04:09 +0400 Wesley M. open...@e-solutions.re wrote: I added this : in pf.conf ... table black persist file /etc/black ... block quick from black ... Added to crontab pfctl -t black -T add $(cat /var/log/alert | awk '{print $6}') What do you think about that ? Perhaps, you have easiest way to do it ? Now i'm looking for a small web monitor to view alerts provided by scanlogd. Any idea ? cheers, Wesley. On Wed, 19 Oct 2011 09:31:35 +0400, Wesley M. open...@e-solutions.re wrote: Hi, I use OpenBSD 4.9, i'm looking for a good nids. I found scanlogd in ports, works very well. But is there a way to work this last one with pf ? For example add the ip-address detected by scanlogd to a Blacklist table ? Also, is there a way to have a web monitor to view alert? Perhaps, you use something else ... what ? ;-) snort ? Thank you very much ! All the best, Wesley.
Re: NIDS on OpenBSD
I'm not agree, Using PF, and only PF, we can feed a table using some parameters and it is filtered on one/several ports. PF can't detect Network scan like nmap or ... So it is why i use scanlogdb (it is in the OpenBSD Ports). And some people use Snort also for this kind of things. PF is a good firewall, we can play with QoS/IP,Ports filter/NAT/ Src NAT/ Statefull/Load Balancing/scrub But it is not a NIDS. ;-) All the best, Wesley M. On Wed, 19 Oct 2011 10:05:33 +0300, Gregory Edigarov g...@bestnet.kharkov.ua wrote: I think it is bad practice to use something that's not even in the base, when you have the feature in pf readily available. pass in on vr0 inet proto tcp from any to (vr0) port ssh keep state \ (max-src-conn-rate 1/60, overload badhosts flush global) On Wed, 19 Oct 2011 10:04:09 +0400 Wesley M. open...@e-solutions.re wrote: I added this : in pf.conf ... table black persist file /etc/black ... block quick from black ... Added to crontab pfctl -t black -T add $(cat /var/log/alert | awk '{print $6}') What do you think about that ? Perhaps, you have easiest way to do it ? Now i'm looking for a small web monitor to view alerts provided by scanlogd. Any idea ? cheers, Wesley. On Wed, 19 Oct 2011 09:31:35 +0400, Wesley M. open...@e-solutions.re wrote: Hi, I use OpenBSD 4.9, i'm looking for a good nids. I found scanlogd in ports, works very well. But is there a way to work this last one with pf ? For example add the ip-address detected by scanlogd to a Blacklist table ? Also, is there a way to have a web monitor to view alert? Perhaps, you use something else ... what ? ;-) snort ? Thank you very much ! All the best, Wesley.
Re: NIDS on OpenBSD
On 2011-10-19, Wesley M. open...@e-solutions.re wrote: I'm not agree, Using PF, and only PF, we can feed a table using some parameters and it is filtered on one/several ports. PF can't detect Network scan like nmap or ... So it is why i use scanlogdb (it is in the OpenBSD Ports). And some people use Snort also for this kind of things. How do you know that the scans are really coming from the address written in the packets?
Re: NIDS on OpenBSD
I don't agree with you either. My opinion, is that if you have a good default deny firewall ruleset, you can eliminate most of the threats. Again, scans are (mostly) harmless. Deploying a NIDS could give you false sence of security. On Wed, 19 Oct 2011 11:52:36 +0400 Wesley M. open...@e-solutions.re wrote: I'm not agree, Using PF, and only PF, we can feed a table using some parameters and it is filtered on one/several ports. PF can't detect Network scan like nmap or ... So it is why i use scanlogdb (it is in the OpenBSD Ports). And some people use Snort also for this kind of things. PF is a good firewall, we can play with QoS/IP,Ports filter/NAT/ Src NAT/ Statefull/Load Balancing/scrub But it is not a NIDS. ;-) All the best, Wesley M. On Wed, 19 Oct 2011 10:05:33 +0300, Gregory Edigarov g...@bestnet.kharkov.ua wrote: I think it is bad practice to use something that's not even in the base, when you have the feature in pf readily available. pass in on vr0 inet proto tcp from any to (vr0) port ssh keep state \ (max-src-conn-rate 1/60, overload badhosts flush global) On Wed, 19 Oct 2011 10:04:09 +0400 Wesley M. open...@e-solutions.re wrote: I added this : in pf.conf ... table black persist file /etc/black ... block quick from black ... Added to crontab pfctl -t black -T add $(cat /var/log/alert | awk '{print $6}') What do you think about that ? Perhaps, you have easiest way to do it ? Now i'm looking for a small web monitor to view alerts provided by scanlogd. Any idea ? cheers, Wesley. On Wed, 19 Oct 2011 09:31:35 +0400, Wesley M. open...@e-solutions.re wrote: Hi, I use OpenBSD 4.9, i'm looking for a good nids. I found scanlogd in ports, works very well. But is there a way to work this last one with pf ? For example add the ip-address detected by scanlogd to a Blacklist table ? Also, is there a way to have a web monitor to view alert? Perhaps, you use something else ... what ? ;-) snort ? Thank you very much ! All the best, Wesley.
Re: NIDS on OpenBSD
* Wesley M. open...@e-solutions.re [2011-10-19 09:53]: PF is a good firewall, we can play with QoS/IP,Ports filter/NAT/ Src NAT/ Statefull/Load Balancing/scrub But it is not a NIDS. ;-) of course it isn't an IDS. we don't do marketing snake oil. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: NIDS on OpenBSD
hi if you need somthing like that ... try ossec www.ossec.net holger Hi, I use OpenBSD 4.9, i'm looking for a good nids. I found scanlogd in ports, works very well. But is there a way to work this last one with pf ? For example add the ip-address detected by scanlogd to a Blacklist table ? Also, is there a way to have a web monitor to view alert? Perhaps, you use something else ... what ? ;-) snort ? Thank you very much ! All the best, Wesley.
Re: NIDS on OpenBSD
On Tue, Oct 18, 2011 at 10:31 PM, Wesley M. open...@e-solutions.re wrote: Hi, I use OpenBSD 4.9, i'm looking for a good nids. It depends on what you are trying to accomplish. In general OSSEC and Snort are great intrusion detection tools to get started. OSSEC can monitor your logs and can block IP addresses if certain patterns are matched. This can shoot you in the foot if not configured properly. Snort can monitor your network interface for traffic patterns that match known exploits, port scans, etc. Both can be pretty noisy, so you will need to learn how they work before deploying them so that they can be tuned properly. If you don't tune them, you're more likely to ignore the noise. However, if you're not interested in intrusion detection, but rather looking for a way to block ssh brute force attempts, you can do a lot with PF, as was mentioned in this thread. As far as port scans are concern, I don't bother to act on them or attempt to block them. I don't see scans as a security problem, but that is my opinion.