[nycbug-talk] Intrusion Detection Solutions
eksffa at freebsdbrasil.com.br
Fri Feb 29 11:56:31 EST 2008
Mikel King escreveu:
> Once again I am canvassing the the community to see what people are
> doing about IDS. Please chime in if you have a recommendation? I
> would like to find out what's out there and learn the pros vs cons of
> each et cetera....
My IDS/IPS setup is made up of Snort Inline and OSSEC HIDS.
Pros, is how easy and good OSSEC is with windows monitors, feeding the
main HIDS processes on FreeBSD. Doing customized rules with this tool is
also easy and effective. It can also run external scripts in a framework
setup it calls active response, with pre-defined scripts for
firewalling, updating tcp wrappers conf and some other behaviors, as the
active response actions. I also love its integration with iplog, and its
ability to read and parse snort logs. However it is essencially just a
HIDS, although it can take advantage of iplog for example.
I run snort in inline mode because mostly I dont need just to drop
(flexresp) or to start a response script. Those are limited and
responsive actions. I need pro-active actions. Most rules in inline mode
I have drop or sdrop action, but some other, specially p2p ones I have
"reinject" actions which sends the packet back to IPFIREWALL(4) and lets
me tag+pipe it. When I need a more coese setup with snort sensors I tend
to run Snort with snortsam patch; but the standalone setups or the
complex setups I always have snort_inline in the main strategic areas of
Negative point on snort_inline is that, if, for some reason, it dies, I
have a DoS on my network. So I run it under daemontools (supervise) and
get notified if it dies. When it dies its the sysadmin fault who did not
test a rule or some syntax. However "divert" can always be switched by
"tee" action in the firewall if for some reason one believes this is not
an acceptable thing. I never run with tee, always divert. For me not
acceptable is using untested rules.
I dont see any other negative point. Everything else is just good to me,
so it makes my IDS/IPS combo of choice.
> talk mailing list
> talk at lists.nycbug.org
FreeBSD Brasil LTDA.
Tel.: (31) 3516-0800
316601 at sip.freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"
More information about the talk