[Snort-users] Looking for a prebuilt Snort IDS Distro

Pak Chan brightlilim at ...11827...
Mon Sep 24 13:48:45 EDT 2012


Sorry, by "network filter", read "IPS". I can see that it's going to be a
fun ride, getting reacquainted with the theory and practice...

Pak
"Build a fire for a man, and he'll be warm for a day. Set a man on fire,
and he'll be warm for the rest of his life."


On 23 September 2012 11:10, Doug Burks <doug.burks at ...11827...> wrote:

> Hi Pak,
>
> You can manually configure Security Onion as an IPS but that's not
> what it was designed for and we don't support it.
>
> We do support BPFs for ignoring specific IP addresses.
>
> If you have further questions specific to Security Onion, please feel
> free to use our mailing list:
> http://groups.google.com/group/security-onion
>
> Thanks,
> Doug
>
> On Saturday, September 22, 2012, Pak Chan wrote:
> >
> > Sorry, that was really badly phrased. I meant to say that I haven't
> discovered all of what it can do yet, so can't comment on its capabilities
> or lack thereof. I'm still in the process of configuring it (and will be
> for a while, mixed in with other work). I also haven't decided if I want to
> have it as an inline sensor/network filter (can it filter as well as
> sense?) or just an out-of-band sensor.
> >
> > I'll also need to see about configuring it to ignore certain IP
> addresses occasionally (for targeted penetration tests, etc.), which I've
> not looked into yet.
> >
> > So, I might as well ask the questions: can I use SO as a network filter,
> and can I configure it to allow pen tests on servers without triggering
> massive amounts of alerts?
> >
> > Pak
> > "Build a fire for a man, and he'll be warm for a day. Set a man on fire,
> and he'll be warm for the rest of his life."
> >
> >
> > On 21 September 2012 23:09, Jeremy Hoel <jthoel at ...11827...> wrote:
> >
> > Out ojmf curiosity, what does SO not do for you?
> >
> > On Sep 21, 2012 5:33 PM, "Pak Chan" <brightlilim at ...11827...> wrote:
> >
> > That may be true, but there are people who just need an IDS, and having
> an easy-to-use IDS appliance (which is effectively what a distro is, or
> should be) will help that. Most people won't delve into the code to
> understand how it works underneath, in the same way that most people just
> purchase and install firewalls without understanding how they work. It
> means they won't get the best out of it, but it's a great deal better than
> if they didn't have one at all.
> >
> > Personally, I'm in that situation at the moment. The last time I looked
> at an IDS was one I had helped to build about ten years ago, and it was so
> primitive compared to the capabilities modern ones have. I'm getting back
> into it again, and finding myself short on time to learn about the
> fundamentals, I've decided to go for the SecurityOnion distro. It doesn't
> satisfy everything I want (yet), but that's down to my lack of experience
> in tweaking it. I'll get better as I learn more about it, but I don't want
> to be exposed in the meantime. I'll settle for less-than-ideal in the short
> term.
> >
> > Pak
> > "Build a fire for a man, and he'll be warm for a day. Set a man on fire,
> and he'll be warm for the rest of his life."
> >
> >
> > On 21 September 2012 17:51, PR <oly562 at ...11827...> wrote:
> >
> > ps. it shouldn't matter what distro, unix/linux, its nix, prebuilt? that
> > means, no real configuring at the beginning, therefore, you will not
> > learn how it works, where it is, how it can be tweeked, unless you are a
> > wizard. not to say you can figure it out, it just means, you will have
> > less knowledge about how it works at the core.
> >
> > On Fri, 2012-09-21 at 13:14 +0000, Turnbough, Bradley E. wrote:
> > >
> > >
> > >
> > >
> > > From: Jaime Nebrera [mailto:jnebrera at ...11827...]
> > > Sent: Friday, September 21, 2012 2:51 AM
> > > To: snort-users at lists.sourceforge.net
> > > Subject: Re: [Snort-users] Looking for a prebuilt Snort IDS Distro
> > >
> > >
> > >
> > >
> > > On 20/09/12 15:26, Turnbough, Bradley E. wrote:
> > >
> > > I’m looking for a prebuilt snort IDS Distro.  Preferrably based on the
> > > Centos 6 series.  Any Suggestions?
> > >
> > >
> > >
> > > I’d like it to have (at a minimum):
> > >
> > >
> > >
> > > Snort
> > >
> > > Barnyard 2
> > >
> > > Snorby
> > >
> > > Mysql
> > >
> > >
> > >
> > >
> > >
> > >   Hi Bradley,
> > >
> > >   I would suggest redBorder.net
> > >
> > >   It contains Snort, Barnyard 2, Snorby (for event management) and
> > > MySQL. Besides those, you have a very powerful rule manager, config
> > > system and SNMP monitoring as an extension of Snorby and performance
> > > enhancements on the Snort side.
> > >
> > >   It is free for registered users and under open source license.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Exactly what I was looking for…. Thanks Jamie!
> > >
> > >
> > > This e-mail transmission contains information that is confidential and
> > > may be privileged. It is intended only for the addressee(s) named
> > > above. If you receive this e-mail in error, please do not read, copy
> > > or disseminate it in any manner. If you are not the intended
> > > recipient, any disclosure, copying, distribution or use of the
> > > contents of this information is prohibited. Please reply to the
> > > message immediately by informing the sender that the message was
> > > misdirected. After replying, please erase it from your computer
> > > system. Your assistance in correcting this error is appreciated.
> > >
> ------------------------------------------------------------------------------
>
>
>
> --
> Doug Burks
> http://securityonion.blogspot.com
>
>
>
> --
> Doug Burks
> http://securityonion.blogspot.com
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://ad.doubleclick.net/clk;258768047;13503038;j?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120924/57f5db0d/attachment.html>


More information about the Snort-users mailing list