I've been using snort for a while and really like it. Sensors in the DMZ(s) as well as behind the FW. Nice way to audit your FW to make sure what you think is going is IS what's going on.. Stable, quick, free.. easy to use too. I use the ACID interface running on an Apache server. It has also helped me find misconfigured routers and workstations and other LAN problems.. Snort mailing list is great and the authors are there a lot to help out as well as lots of other experienced folks. Free tech support, free bug fixes, free upgrades. What a concept. ;-) There are also a number of "enterprise" initiatives going on to create management tools for Snort; things to keep track of your rules, push new ones out to all 100 sensors, etc.
Whichever system you go with, be sure to wire up the sensor lead as per the diagram on www.silicondefense.com Basically make a read-only cable. That's here http://www.silicondefense.com/techsupport/ro-ethernet.htm If you're a bigger organization (with lots of sensors etc) and a bigger budget than mine ;-) it might be worthwhile to look into a product like guarded.net has which will integrate FW-1 logging with snort with Cisco / syslog, etc and generate tickets based on event correlation. (eg: this host has hit your router, NIDS & FW X# of times on these ports... stuff like that) but the Snort/ACID/MySQL combo is hard to beat IMHO. Very intuitive, fast (I run mine real time) and easy to set up. GD LK with whatever you choose. - Joe >>> Tim Anderson <[EMAIL PROTECTED]> 11/29/01 12:15PM >>> We have budget to purchase an IDS and would like to get suggestions from you fine folks. We are looking at SNORT since it is free (except for the equipment costs) and ISS Real Secure. We are open to other suggestions as well. Also where do you guys have your sensors? We were thinking that having one on the DMZ is probably enough but we want some input from others before we decide. Thanks! Tim Anderson =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== >>> Tim Anderson <[EMAIL PROTECTED]> 11/29/01 12:15PM >>> We have budget to purchase an IDS and would like to get suggestions from you fine folks. We are looking at SNORT since it is free (except for the equipment costs) and ISS Real Secure. We are open to other suggestions as well. Also where do you guys have your sensors? We were thinking that having one on the DMZ is probably enough but we want some input from others before we decide. Thanks! Tim Anderson =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
