[178087] in North American Network Operators' Group
Re: Intrusion Detection recommendations
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Sat Feb 14 13:57:53 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <m261b4nazl.wl%randy@psg.com>
From: Jimmy Hess <mysidia@gmail.com>
Date: Sat, 14 Feb 2015 12:57:29 -0600
To: Randy Bush <randy@psg.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Sat, Feb 14, 2015 at 2:38 AM, Randy Bush <randy@psg.com> wrote:
Bro, SNORT, SGUIL, Tcpdump, and Wireshark are some nice tools.
By itself, a single install of Snort/Bro is not necessarily a complete
IDS, as it cannot inspect the contents of outgoing SSL sessions, so
there can still be Javascript/attacks against the browser, or SQL
injection attempts encapsulated in the encrypted tunnels; I am not
aware of an open source tool to help you with SSH/SSL interception/SSL
decryption for implementation of network-based IDS.
You also need a hand-crafted rule for each threat that you want Snort
to identify...
Most likely this entails making decisions about what commercial
ruleset(s) you want to use and then buying the appropriate
subscriptions.
> if you were comfortable enough with freebsd to use it as a firewall, you
> can run your traffic through, or mirror it to, a freebsd box running
> https://www.bro.org/ or
> https://www.snort.org/
> two quite reasonable and powerful open source systems
>
> randy
--
-JH
