[nycbug-talk] Intrusion Detection Solutions

Patrick Tracanelli eksffa at freebsdbrasil.com.br
Fri Feb 29 11:56:31 EST 2008

Mikel King escreveu:
> Once again I am canvassing the the community to see what people are  
> doing about IDS. Please chime in if you have a recommendation? I  
> would like to find out what's out there and learn the pros vs cons of  
> each et cetera....

My IDS/IPS setup is made up of Snort Inline and OSSEC HIDS.

Pros, is how easy and good OSSEC is with windows monitors, feeding the 
main HIDS processes on FreeBSD. Doing customized rules with this tool is 
also easy and effective. It can also run external scripts in a framework 
setup it calls active response, with pre-defined scripts for 
firewalling, updating tcp wrappers conf and some other behaviors, as the 
active response actions. I also love its integration with iplog, and its 
ability to read and parse snort logs. However it is essencially just a 
HIDS, although it can take advantage of iplog for example.

I run snort in inline mode because mostly I dont need just to drop 
(flexresp) or to start a response script. Those are limited and 
responsive actions. I need pro-active actions. Most rules in inline mode 
I have drop or sdrop action, but some other, specially p2p ones I have 
"reinject" actions which sends the packet back to IPFIREWALL(4) and lets 
me tag+pipe it. When I need a more coese setup with snort sensors I tend 
to run Snort with snortsam patch; but the standalone setups or the 
complex setups I always have snort_inline in the main strategic areas of 
the topology.

Negative point on snort_inline is that, if, for some reason, it dies, I 
have a DoS on my network. So I run it under daemontools (supervise) and 
get notified if it dies. When it dies its the sysadmin fault who did not 
test a rule or some syntax. However "divert" can always be switched by 
"tee" action in the firewall if for some reason one believes this is not 
an acceptable thing. I never run with tee, always divert. For me not 
acceptable is using untested rules.

I dont see any other negative point. Everything else is just good to me, 
so it makes my IDS/IPS combo of choice.

> Cheers,
> Mikel
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk

Patrick Tracanelli

FreeBSD Brasil LTDA.
Tel.: (31) 3516-0800
316601 at sip.freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"

More information about the talk mailing list