Results 1 to 9 of 9
Thread: Intrusion detection
-
07-08-2004, 12:16 AM #1Junior Guru
- Join Date
- May 2002
- Posts
- 207
Intrusion detection
I am curious to know what others are using on their networks for intrusion detection. We are looking into finding a new solution and are looking for suggestions.
ThanksAlvin Slocombe
E-Insites - "Web services, simplified."
-
07-08-2004, 12:19 AM #2Web Hosting Master
- Join Date
- Apr 2001
- Posts
- 2,611
What solution are you using now ? What OS ?
-
07-08-2004, 12:22 AM #3Junior Guru
- Join Date
- May 2002
- Posts
- 207
We are using snort, but it does not seem to catch everything.
Alvin Slocombe
E-Insites - "Web services, simplified."
-
07-08-2004, 12:33 AM #4Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Do you use updated rules?
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
07-08-2004, 12:49 AM #5Junior Guru
- Join Date
- May 2002
- Posts
- 207
I think it may be badly configured.
I am considering putting a new server in place and hiring someone to install snort for me on this server.
What hardware would you suggest thelinuxguy, and also would this be something you would be open to? You can email me at alvin@e-insites.com I will be leaving here in 5 minutes to go install new cabinets at our new datacenter, but I will have my laptop with me.
ThanksAlvin Slocombe
E-Insites - "Web services, simplified."
-
07-08-2004, 02:28 AM #6Web Hosting Master
- Join Date
- Dec 2003
- Location
- Brisbane, Queensland, Australia
- Posts
- 550
The intrusion detection system we use is Snort + updated rules and ACID as the php frontend.
You probably don't have Snort setup correctly.
I could help you with this.
-
07-08-2004, 03:51 AM #7Junior Guru
- Join Date
- May 2002
- Posts
- 207
We will have our Linux techs work on the server tomorrow. Thanks for all the help and suggestions.
Alvin Slocombe
E-Insites - "Web services, simplified."
-
07-09-2004, 12:47 AM #8Aspiring Evangelist
- Join Date
- Jun 2004
- Location
- Tampa Florida
- Posts
- 428
As someone who puts together snort sigs on a daily basis I have to say that your "Linux Techs" Probably dont have the knowledge to set this up properly. While snort is the best IDS engine by far, it is not the easiest to set up. The new Flow portscan preprocessor alone will give most people a headach just to look at the config. If properly configured though, It will catch more nasty activity than any other IDS system out there. It also has the fastest signature development comunity imaginable. We often have a rule out within minutes of an initial packet capture for an exploit.
My strong suggestion would be to have one person spend a week or so reading all the available documentation on Snort and Buy the Ingress book. It is very good. In a basic setup way.
If you have any basic questions Im sure there are enough of us here to give you a hand. Also the snort-misc mailing list is a very nice user community. If you post a basic question there you will not get flamed to death.Rock solid hosting and dedicated servers since 1998!
StabilityHosting Where stability and uptime are king!
-
07-10-2004, 02:35 AM #9Junior Guru
- Join Date
- May 2002
- Posts
- 207
Thanks for the suggestion. A couple of our techs were well versed in Snort, and had read all sorts of books on it. What I did not mention was that we were doing it with three different servers, and we finally tracked the problem down to the mySQL server.
We have snort up and running correctly again now. Thank you for your help and suggestions.
RegardsAlvin Slocombe
E-Insites - "Web services, simplified."