[Snort-users] New IDS best practise

Kevin Ross kevross33 at ...14012...
Thu Nov 17 10:21:59 EST 2011

I would go commercial if I was you but nothing to stop you running your own
(I have a large organisation with a mix). Anyway what you want to do:

1) Choose a centralised database machine to have base/snorby connect to. I
would recommend keeping it more like one main one per large site. You want
to put sensors at least on all your Internet links as well as default
routes out (especially if traffic is supposed to go out somewhere else and
you have strong outbound firewall policies. Non-proxy aware malware may
just hit itself off the firewall and you can get it with that and also
various generic snort rules, ip blacklists, tools like bothunter etc. Use
barnyard on each sensor to log into the database and have snort write off
as unified2 as it is a lot faster.

2) I won't go into detail here but: Choose locations, setup centralised
database/monitoring, install sensors on each link with 2 network interfaces
- one for management with IP with secure iptables rules to limit access and
a sniffing interface without ip and have SPAN switchport. Check it is
logging. Add more sensors. You could also use a commercial SIEM or open
source one (like OSSIM) to help correlate logs. I would also recommend the
emergingthreats.net rules - especially for current malware stuff going on
and current infection campaigns such as exploit kits.

Tuning is also important and you can use threshold.conf to limit alerts,
supress etc and pulledpork to disable/enable rules automatically so when
your sensors update they are basically being tuned. Make sure you set up
the variable right ($HOME_NET as your internal nets, servers, EXTERNAL_NET
= !$HOME_NET etc).

3) Pitfalls might be your sensor may not be fast enough. Good network
cards, fast disks, memory etc and monitoring (you can use perfmon
preprocessor and pmgraph to view statistics about drops and things) though
I have had just normal PCs in as sensors on fast links sending up to 1TB of
traffic a month while keeping the drop statistic at about 0.3% or below
following tuning which was fine. Tuning whether you go commercial or not is
essential in order to keep FPs down and also improve sensor performance.

With the SSH tunnels there are emergingthreats rules in the emerging-policy
rules which can detect SSH on off ports and things. I have detected SSH
over 443 and things before using them.

Kind Regards,
Kevin Ross

On 16 November 2011 19:59, Michael Maymann <michael at ...15437...> wrote:

> Hi List,
> we are a global multi-site organisation using switched network, firewalls
> and proxies.
> 1. Where would be the best place(s) to put IDS(s), if we aim to have a
> centralised view - e.g. can this be set-up as 1 central master (e.g.
> Snorby) and site slaves (e.g. Snort) on each FW LAN ?
> 2. How would it best be implemented - what would be the preferred steps.
> 3. What could be the typical pitfalls - e.g. would traffic possibly slow
> down because everything needs to go to a 100mbit port where IDS is located,
> etc.
> To begin with we would especially like to detect reverse ssh/corkscrew -
> any ideas how to do this properly in a set-up like ours, with or without
> IDS ?
> Thanks in advance :-) !
> ~Maymann
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure
> contains a definitive record of customers, application performance,
> security threats, fraudulent activity, and more. Splunk takes this
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111117/4dad6949/attachment.html>

More information about the Snort-users mailing list