[Snort-users] *very* many snort installations..
Adriel T. Desautels
atd at ...10635...
Mon Dec 1 21:43:57 EST 2003
Host and network IDS are not always different animals, in particular
when they work with each other. Host based IDS means that you do not
have to rely on the network for your "trigger" information. I actually
write an article on the issues with IDS which can be found at:
In summary, I discuss how NIDS alone is a failure as it relies on
JUST the network. All of us know that you can spoof packets and forge
traffic. Because of this, you can also make NIDS go nuts if you are
crafty enough. Our IDS solution is actually an NIDS enhancer which adds
HIDS functionality to your current NIDS solution. It also adds
centeralization, data consolidation, and data correlation for high speed
viewing and false positives validation. It is not really an NIDS system
tho as we don't make the NIDS engines. It currently only supports SNORT
but will soon support ISS products.
At any rate, if anyone has any questions about turning your current NIDS
into an NIDS+HIDS, let me know.
hugh_fraser at ...2804... wrote:
>The host and network IDS's are different animals. Symantec (and several
>other companies) offer a HID that monitors and enforces policies that
>define how applications on the host behave. While this includes network
>activity, it goes beyond that to include access to any resources on the
>host. It's very different, but at the same time complimentary, to what a
>NID does. Both provide valuable insight into what's happening in your
>environment, and are indispensable when doing the forensic work your
>Deployment of NID technology on all workstations may provide more
>resolution than you need if there are key network "hubs" in through
>which all internal traffic passes. As always, start with the perimeter
>firewalls, but also include dialup access points (i.e.. Citrix,
>reachout, etc.). Internally, monitor the routers, hubs, firewalls, etc..
>As well, monitor servers providing common networking services, such as
>proxy servers. If you're running a switched network and using VLANs to
>segment traffic, monitor systems that may straddle multiple VLANs, such
>as domain controllers, dns or dhcp servers, etc.. With some up-front
>effort, you may find that a much smaller deployment if NIDs can provide
>you with the ability to track activity, without an overwhelming
>infrastructure to manage.
>In the same way, deploying a HID to 10,000 machines may also be
>overkill. Again, the selection of key points to monitor may provide you
>with the information you need.
>Don't underestimate the impact of either of these technologies on the
>systems to which they're deployed. HIDs, especially, may require
>considerable amounts of hand-holding before they become invisible to the
>end user. In anything other than vanilla applications that the HID
>understands out of the box, it will need to be taught what to expect
>before it can be deployed to provide non-noise information. And if
>you're using them to enforce policies rather than just monitor for
>violations, this training will be even more important unless your help
>desk enjoys extra work.
>Enforcement is the holy grail we're all looking for, since it's a
>reality that you will at some point suffer an intrusion, and enforcing
>policies (whether in a NID or a HID) is what will allow you to contain
>the intrusion and limit the damage.
>With regards to the collection of traffic from 10,000 machines,
>hierarchical approaches need to be used to deal with the load. In a
>large environment, it typically makes sense to have local collection
>agents that do some form of filtering and correlation and forward
>traffic on to higher levels that have a more enterprise view. This buys
>you several benefits... Each local collection agent can be relatively
>autonomous, giving you a degree of fault tolerance. It localizes
>potentially heavy network traffic in the event of an intrusion. Finally,
>it provides you with a scalable architecture that can be adapted to
>arbitrary changes either in capacity or topology.
>Senior Technical Specialist
>>From: Jason Haar [mailto:Jason.Haar at ...294...]
>>Sent: Wednesday, November 26, 2003 6:01 PM
>>To: snort-users at lists.sourceforge.net
>>Subject: RE: [Snort-users] *very* many snort installations..
>>On Thu, 2003-11-27 at 04:46, Michael Steele wrote:
>>>The solution is not to install Snort on every workstation.
>>Strange - companies like Symantec would disagree with you.
>>They certainly think there's a future in host-based IDS.
>>Of course, the IDS is easy - it's the centralised management
>>that's hard... How you handle 10,000 hosts all sending 100
>>alerts/sec to your central console when SLAMMER-IV hits one
>>machine is beyond me ;-)
>>[to be fair, I'm confusing centralised management with
>>centralised logging here]
>>Information Security Manager, Trimble Navigation Ltd.
>>Phone: +64 3 9635 377 Fax: +64 3 9635 417
>>PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>>This SF.net email is sponsored by: SF.net Giveback Program.
>>Does SourceForge.net help you be more productive? Does it
>>help you create better code? SHARE THE LOVE, and help us
>>help YOU! Click Here: http://sourceforge.net/donate/
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>Snort-users list archive:
>This SF.net email is sponsored by: SF.net Giveback Program.
>Does SourceForge.net help you be more productive? Does it
>help you create better code? SHARE THE LOVE, and help us help
>YOU! Click Here: http://sourceforge.net/donate/
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
Adriel T. Desautels
Secure Network Operations, Inc.
Phone: 978-263-3829 || Fax : 978-263-0033
"Embracing the future of technology, protecting you."
Enhance your IDS-------: http://www.secnetops.com/products
Nightly Security Audtis: http://www.secnetops.com/services
More information about the Snort-users