AntiOnline Security Spotlight: IDS with an Open Source Twist
January 15, 2004
What is Snort?
Snort is intrusion detection system (IDS) software that is gaining its share of fans among the open source crowd. As with all open source projects of note, Snort also has an active community that continually extend this "little piggy's" capabilities as well as helping admins make the most of its features.
This week we spotlight a series of tutorials that introduce security-minded admins to the many benefits of Snort. Of course, protecting IP networks requires more than a simple software install. A certain amount of tuning or tweaking is always required to get the most of any security app.
Prepare to learn how a little open source can go a long way towards a secure network.
Note: The opinions expressed below are solely those of the individual posters on the AntiOnline forums.
Direct links to this week's spotlight threads:
A look into IDS/Snort part 1 of 3
A look into IDS/Snort part 2 of 3
qod kicks off his IDS tutorial with an extensive look at the state of IDS technology today. First, a intro...
Intrusion detection systems (IDS) could be defined as a system that employs process of gathering information (though logs or sniffing) and analyzing that information for possible attempts of intrusion.
Throughout this paper "intrusions" will be referring to both misuse and intrusions unless otherwise specified. Intrusions are attacks originating from outside of your network, while misuse, on the other hand, refers to attacks that originate from the inside of you network.
To further clarify this definition think of a burglar alarm or a surveillance system that watches your house when you are on vacation. If your house is robbed then you could use "logs" from the burglar alarm and the videotape from the surveillance camera to identify the robber.
An IDS functions in much the same way on your network that constantly looks through the network packets trying to detect an intrusion. Once an intrusion is detected it will take the proper action that you specified (sending an email to the security guy or just logging the alert). It is important that you understand that just like a surveillance camera, IDS is used for detection and not prevention.
also touches on the touchy topic of where to place a Snort sensor...
This is going to be heavily influenced by your organizations policy, and what you want to detect. One way of looking at it is determining if you want to place it inside or outside your firewall.
Placing an IDS outside of your firewall will allow you monitor all attacks directed at your network, regardless of whether or not they are stopped at the firewall. This almost certainly means that the IDS will pick up on more events than an IDS inside the firewall, and hence more logs will be generated.
Place an IDS inside your firewall if you are only interested in monitoring traffic that your firewall let pass. If resources permit, it may be best to place one IDS outside and one IDS inside of your firewall. This way you can watch for everything directed at your network, and anything that made it's way in.
In part 2, we're treated to some great tools to supplement Snort's robust intrusion scanning engine.
1) Analysis Console for Intrusion Databases
"The Analysis Console for Intrusion Databases (ACID) is a PHP- based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools."
2) Eagle X
"A free 99% pre-configured IDS for Windows using Snort and IDScenter, Apache, PHP (ACID) and MySQL."
3) Inline Snort
"GIDS (Gateway IDS) mode for snort."
4) Oink Master
"Oinkmaster is simple but useful Perl script released under the BSD license to help you update/manage your Snort rules and disable/enable/modify certain rules after each update (among other things). It will tell you exactly what had changed since the last update, so you'll have total control of your rules. "
"Fast output system for snort."
Ready for a whiff of Snort? Join the ()!
What is AntiOnline?
AntiOnline (AO) is home to many of the most popular network security discussion forums online. Here, participants engage in candid, thought-provoking and enlightening exchanges on security hazards and how to protect your systems against them.
We invite you to (it's free!), share your wisdom and learn a few things in the process. Stay tuned as Enterprise IT Planet spotlights the discussions and expert participants that have helped make AO the "go to" online resource for network security.