[Snort-users] Looking for a prebuilt Snort IDS Distro

Doug Burks doug.burks at ...11827...
Sun Sep 23 06:10:53 EDT 2012


Hi Pak,

You can manually configure Security Onion as an IPS but that's not
what it was designed for and we don't support it.

We do support BPFs for ignoring specific IP addresses.

If you have further questions specific to Security Onion, please feel
free to use our mailing list:
http://groups.google.com/group/security-onion

Thanks,
Doug

On Saturday, September 22, 2012, Pak Chan wrote:
>
> Sorry, that was really badly phrased. I meant to say that I haven't discovered all of what it can do yet, so can't comment on its capabilities or lack thereof. I'm still in the process of configuring it (and will be for a while, mixed in with other work). I also haven't decided if I want to have it as an inline sensor/network filter (can it filter as well as sense?) or just an out-of-band sensor.
>
> I'll also need to see about configuring it to ignore certain IP addresses occasionally (for targeted penetration tests, etc.), which I've not looked into yet.
>
> So, I might as well ask the questions: can I use SO as a network filter, and can I configure it to allow pen tests on servers without triggering massive amounts of alerts?
>
> Pak
> "Build a fire for a man, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life."
>
>
> On 21 September 2012 23:09, Jeremy Hoel <jthoel at ...11827...> wrote:
>
> Out ojmf curiosity, what does SO not do for you?
>
> On Sep 21, 2012 5:33 PM, "Pak Chan" <brightlilim at ...11827...> wrote:
>
> That may be true, but there are people who just need an IDS, and having an easy-to-use IDS appliance (which is effectively what a distro is, or should be) will help that. Most people won't delve into the code to understand how it works underneath, in the same way that most people just purchase and install firewalls without understanding how they work. It means they won't get the best out of it, but it's a great deal better than if they didn't have one at all.
>
> Personally, I'm in that situation at the moment. The last time I looked at an IDS was one I had helped to build about ten years ago, and it was so primitive compared to the capabilities modern ones have. I'm getting back into it again, and finding myself short on time to learn about the fundamentals, I've decided to go for the SecurityOnion distro. It doesn't satisfy everything I want (yet), but that's down to my lack of experience in tweaking it. I'll get better as I learn more about it, but I don't want to be exposed in the meantime. I'll settle for less-than-ideal in the short term.
>
> Pak
> "Build a fire for a man, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life."
>
>
> On 21 September 2012 17:51, PR <oly562 at ...11827...> wrote:
>
> ps. it shouldn't matter what distro, unix/linux, its nix, prebuilt? that
> means, no real configuring at the beginning, therefore, you will not
> learn how it works, where it is, how it can be tweeked, unless you are a
> wizard. not to say you can figure it out, it just means, you will have
> less knowledge about how it works at the core.
>
> On Fri, 2012-09-21 at 13:14 +0000, Turnbough, Bradley E. wrote:
> >
> >
> >
> >
> > From: Jaime Nebrera [mailto:jnebrera at ...11827...]
> > Sent: Friday, September 21, 2012 2:51 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] Looking for a prebuilt Snort IDS Distro
> >
> >
> >
> >
> > On 20/09/12 15:26, Turnbough, Bradley E. wrote:
> >
> > I’m looking for a prebuilt snort IDS Distro.  Preferrably based on the
> > Centos 6 series.  Any Suggestions?
> >
> >
> >
> > I’d like it to have (at a minimum):
> >
> >
> >
> > Snort
> >
> > Barnyard 2
> >
> > Snorby
> >
> > Mysql
> >
> >
> >
> >
> >
> >   Hi Bradley,
> >
> >   I would suggest redBorder.net
> >
> >   It contains Snort, Barnyard 2, Snorby (for event management) and
> > MySQL. Besides those, you have a very powerful rule manager, config
> > system and SNMP monitoring as an extension of Snorby and performance
> > enhancements on the Snort side.
> >
> >   It is free for registered users and under open source license.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Exactly what I was looking for…. Thanks Jamie!
> >
> >
> > This e-mail transmission contains information that is confidential and
> > may be privileged. It is intended only for the addressee(s) named
> > above. If you receive this e-mail in error, please do not read, copy
> > or disseminate it in any manner. If you are not the intended
> > recipient, any disclosure, copying, distribution or use of the
> > contents of this information is prohibited. Please reply to the
> > message immediately by informing the sender that the message was
> > misdirected. After replying, please erase it from your computer
> > system. Your assistance in correcting this error is appreciated.
> > ------------------------------------------------------------------------------



--
Doug Burks
http://securityonion.blogspot.com



-- 
Doug Burks
http://securityonion.blogspot.com




More information about the Snort-users mailing list