[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    RE: Snort IDS
From:       "Chad Butler" <chad.butler () ipaymybills ! com>
Date:       2002-09-27 18:21:45
[Download RAW message or body]

I have seen that you already have a wealth of information pertaining to
your question but I would like to offer my two cents also.  We have been
using snort for about a year now and have been very pleased with its
functionality.  The Silicon defense folks are very efficient at
providing easy to follow instructions on installing the snort product
and getting it running with some type of log monitoring method via the
web.  There are two ways you can monitor the logs from a web page; via
snortsnarf and ACID.  We have tried both, starting with SnortSnarf and
ending with ACID.  We have found that for the information as well as the
ease of use, ACID is the better way to go.    I do, however, have to
agree with the gentleman that sent out the last response in the fact
that all IDSs do produce many false positives.  However, Snort does work
on rulesets that are made out of text files which makes it easy to
either disable a rules file that doesn't apply to your network or
disable individual rules within the rules file.  There is also a very
big development community out there as previously stated that give
instructions on tweaking, discussions of certain log files, etc.  The
biggest problem I've found in using snort is the difficulty in finding
out what some of the alerts mean.  This is not an inherent problem to
snort itself but rather problems in having to search for the material.
This can be a very lengthy process, especially for the administrator who
has many other tasks to take care of.  All this said, I would recommend
it to anyone who doesn't need all the flair or expense of a commercial,
name-brand product but rather just something that can let them know
what's hitting their network and at what frequency.  I would however,
recommend running snort on its own machine passively (by this I mean
removing the TCP/IP stack from all monitoring network adapters and only
leave it on the adapter you will use to monitor the logs with.  This is
only possible on a machine with multiple network interfaces.) The reason
I suggest this is that the ability of an attacker to be able to get
access to your logs and corrupt them, if they can find your machine
easily, defeats the purpose of having the IDS as a forensics tool in the
case of a network compromise.

Chad Butler
Security Administrator
GSEC
iPay, LLC

-----Original Message-----
From: hejimenez@bancoagricola.com [mailto:hejimenez@bancoagricola.com]
Sent: Monday, September 23, 2002 5:07 PM
To: security-basics@securityfocus.com
Subject: Snort IDS


Hi everyone!!!, I'm an EDP auditor and I want to know some commentaries
about the use of Snort IDS...I'de like to know if anyone recommend it
and if it's a good choice to install in a financial organization.

Thanks

H=E9ctor E. Jim=E9nez
Coordinador-Auditoria de Sistemas
Banco Agr=EDcola, S.A.
Tel. 279-4545
Ext. 123
email:hejimenez@bancoagricola.com

[prev in list] [next in list] [prev in thread] [next in thread]