Results 1 to 9 of 9
  1. #1

    Intrusion detection

    I am curious to know what others are using on their networks for intrusion detection. We are looking into finding a new solution and are looking for suggestions.


    Thanks
    Alvin Slocombe
    E-Insites - "Web services, simplified."

  2. #2
    Join Date
    Apr 2001
    Posts
    2,611
    What solution are you using now ? What OS ?

  3. #3
    We are using snort, but it does not seem to catch everything.
    Alvin Slocombe
    E-Insites - "Web services, simplified."

  4. #4
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Do you use updated rules?
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  5. #5
    I think it may be badly configured.

    I am considering putting a new server in place and hiring someone to install snort for me on this server.

    What hardware would you suggest thelinuxguy, and also would this be something you would be open to? You can email me at alvin@e-insites.com I will be leaving here in 5 minutes to go install new cabinets at our new datacenter, but I will have my laptop with me.

    Thanks
    Alvin Slocombe
    E-Insites - "Web services, simplified."

  6. #6
    Join Date
    Dec 2003
    Location
    Brisbane, Queensland, Australia
    Posts
    550
    The intrusion detection system we use is Snort + updated rules and ACID as the php frontend.

    You probably don't have Snort setup correctly.

    I could help you with this.

  7. #7
    We will have our Linux techs work on the server tomorrow. Thanks for all the help and suggestions.
    Alvin Slocombe
    E-Insites - "Web services, simplified."

  8. #8
    Join Date
    Jun 2004
    Location
    Tampa Florida
    Posts
    428
    As someone who puts together snort sigs on a daily basis I have to say that your "Linux Techs" Probably dont have the knowledge to set this up properly. While snort is the best IDS engine by far, it is not the easiest to set up. The new Flow portscan preprocessor alone will give most people a headach just to look at the config. If properly configured though, It will catch more nasty activity than any other IDS system out there. It also has the fastest signature development comunity imaginable. We often have a rule out within minutes of an initial packet capture for an exploit.
    My strong suggestion would be to have one person spend a week or so reading all the available documentation on Snort and Buy the Ingress book. It is very good. In a basic setup way.
    If you have any basic questions Im sure there are enough of us here to give you a hand. Also the snort-misc mailing list is a very nice user community. If you post a basic question there you will not get flamed to death.
    Rock solid hosting and dedicated servers since 1998!
    StabilityHosting Where stability and uptime are king!

  9. #9
    Thanks for the suggestion. A couple of our techs were well versed in Snort, and had read all sorts of books on it. What I did not mention was that we were doing it with three different servers, and we finally tracked the problem down to the mySQL server.

    We have snort up and running correctly again now. Thank you for your help and suggestions.

    Regards
    Alvin Slocombe
    E-Insites - "Web services, simplified."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •