[Snort-users] Looking for a prebuilt Snort IDS Distro

Jeremy Hoel jthoel at ...11827...
Sun Sep 23 00:12:17 EDT 2012


To ignore IP's you could add them to the HOME and EXTERNAL net
definitions. What we do is add threshold rules to ignore the alerts
that go off do to the scanners, we just ignore them by_src and add our
scanners.

But i'm not sure what you mean by network filter.  Like
Bluecoat/proxy? Or just block (like and IPS).  I don't know if it's
setup to do IPS. I haven't tried.

On Sat, Sep 22, 2012 at 8:36 AM, Pak Chan <brightlilim at ...11827...> wrote:
> Sorry, that was really badly phrased. I meant to say that I haven't
> discovered all of what it can do yet, so can't comment on its capabilities
> or lack thereof. I'm still in the process of configuring it (and will be for
> a while, mixed in with other work). I also haven't decided if I want to have
> it as an inline sensor/network filter (can it filter as well as sense?) or
> just an out-of-band sensor.
>
> I'll also need to see about configuring it to ignore certain IP addresses
> occasionally (for targeted penetration tests, etc.), which I've not looked
> into yet.
>
> So, I might as well ask the questions: can I use SO as a network filter, and
> can I configure it to allow pen tests on servers without triggering massive
> amounts of alerts?
>
> Pak
> "Build a fire for a man, and he'll be warm for a day. Set a man on fire, and
> he'll be warm for the rest of his life."
>
>
> On 21 September 2012 23:09, Jeremy Hoel <jthoel at ...11827...> wrote:
>>
>> Out ojmf curiosity, what does SO not do for you?
>>
>> On Sep 21, 2012 5:33 PM, "Pak Chan" <brightlilim at ...11827...> wrote:
>>>
>>> That may be true, but there are people who just need an IDS, and having
>>> an easy-to-use IDS appliance (which is effectively what a distro is, or
>>> should be) will help that. Most people won't delve into the code to
>>> understand how it works underneath, in the same way that most people just
>>> purchase and install firewalls without understanding how they work. It means
>>> they won't get the best out of it, but it's a great deal better than if they
>>> didn't have one at all.
>>>
>>> Personally, I'm in that situation at the moment. The last time I looked
>>> at an IDS was one I had helped to build about ten years ago, and it was so
>>> primitive compared to the capabilities modern ones have. I'm getting back
>>> into it again, and finding myself short on time to learn about the
>>> fundamentals, I've decided to go for the SecurityOnion distro. It doesn't
>>> satisfy everything I want (yet), but that's down to my lack of experience in
>>> tweaking it. I'll get better as I learn more about it, but I don't want to
>>> be exposed in the meantime. I'll settle for less-than-ideal in the short
>>> term.
>>>
>>> Pak
>>> "Build a fire for a man, and he'll be warm for a day. Set a man on fire,
>>> and he'll be warm for the rest of his life."
>>>
>>>
>>> On 21 September 2012 17:51, PR <oly562 at ...11827...> wrote:
>>>>
>>>> ps. it shouldn't matter what distro, unix/linux, its nix, prebuilt? that
>>>> means, no real configuring at the beginning, therefore, you will not
>>>> learn how it works, where it is, how it can be tweeked, unless you are a
>>>> wizard. not to say you can figure it out, it just means, you will have
>>>> less knowledge about how it works at the core.
>>>>
>>>> On Fri, 2012-09-21 at 13:14 +0000, Turnbough, Bradley E. wrote:
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > From: Jaime Nebrera [mailto:jnebrera at ...11827...]
>>>> > Sent: Friday, September 21, 2012 2:51 AM
>>>> > To: snort-users at lists.sourceforge.net
>>>> > Subject: Re: [Snort-users] Looking for a prebuilt Snort IDS Distro
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On 20/09/12 15:26, Turnbough, Bradley E. wrote:
>>>> >
>>>> > I’m looking for a prebuilt snort IDS Distro.  Preferrably based on the
>>>> > Centos 6 series.  Any Suggestions?
>>>> >
>>>> >
>>>> >
>>>> > I’d like it to have (at a minimum):
>>>> >
>>>> >
>>>> >
>>>> > Snort
>>>> >
>>>> > Barnyard 2
>>>> >
>>>> > Snorby
>>>> >
>>>> > Mysql
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >   Hi Bradley,
>>>> >
>>>> >   I would suggest redBorder.net
>>>> >
>>>> >   It contains Snort, Barnyard 2, Snorby (for event management) and
>>>> > MySQL. Besides those, you have a very powerful rule manager, config
>>>> > system and SNMP monitoring as an extension of Snorby and performance
>>>> > enhancements on the Snort side.
>>>> >
>>>> >   It is free for registered users and under open source license.
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > Exactly what I was looking for…. Thanks Jamie!
>>>> >
>>>> >
>>>> > This e-mail transmission contains information that is confidential and
>>>> > may be privileged. It is intended only for the addressee(s) named
>>>> > above. If you receive this e-mail in error, please do not read, copy
>>>> > or disseminate it in any manner. If you are not the intended
>>>> > recipient, any disclosure, copying, distribution or use of the
>>>> > contents of this information is prohibited. Please reply to the
>>>> > message immediately by informing the sender that the message was
>>>> > misdirected. After replying, please erase it from your computer
>>>> > system. Your assistance in correcting this error is appreciated.
>>>> >
>>>> > ------------------------------------------------------------------------------
>>>> > Got visibility?
>>>> > Most devs has no idea what their production app looks like.
>>>> > Find out how fast your code is with AppDynamics Lite.
>>>> > http://ad.doubleclick.net/clk;262219671;13503038;y?
>>>> > http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>>> > _______________________________________________ Snort-users mailing
>>>> > list Snort-users at lists.sourceforge.net Go to this URL to change user options
>>>> > or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> > Snort-users list archive:
>>>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit
>>>> > http://blog.snort.org to stay current on all the latest Snort news!
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Got visibility?
>>>> Most devs has no idea what their production app looks like.
>>>> Find out how fast your code is with AppDynamics Lite.
>>>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>>>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Got visibility?
>>> Most devs has no idea what their production app looks like.
>>> Find out how fast your code is with AppDynamics Lite.
>>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>
>




More information about the Snort-users mailing list