http://www.alienvault.com/community.php?section=Vmware
On Fri, Dec 4, 2009 at 13:21, John Cook <[email protected]> wrote: > Any idea if this will run in a VM? Might be worth looking into. > > > > John W. Cook > > Systems Administrator > > Partnership For Strong Families > > 315 SE 2nd Ave > > Gainesville, Fl 32601 > > Office (352) 393-2741 x320 > > Cell (352) 215-6944 > > Fax (352) 393-2746 > > MCSE, MCTS, MCP+I, A+, N+, VSP4, VTSP4 > > > > From: Andrew S. Baker [mailto:[email protected]] > Sent: Friday, December 04, 2009 3:37 PM > To: NT System Admin Issues > Subject: Re: IDS appliance > > > > +1 > > Get the OSS stuff in there first, and get a handle on what your needs > actually are, then when you find you need something with more features, > you'll be able to articulate and evaluate that more effectively. > > Consider starting with: http://www.untangle.com/ > > ASB (My XeeSM Profile) > Providing Competitive Advantage through Effective IT Leadership > > > > On Fri, Dec 4, 2009 at 1:17 PM, Kurt Buff <[email protected]> wrote: > > On Fri, Dec 4, 2009 at 07:29, John Aldrich <[email protected]> > wrote: >> >> Guys, I was talking to my boss this morning about how we need an IDS >> appliance to help catch malware as it comes in from the web or as it tries >> to “phone home.” Now up until yesterday I though an IDS was just good for >> catching hackers trying to get through our firewall or something like that. >> I’m not that knowledgeable about this sort of thing. How exactly does an IDS >> appliance work? >> >> > > It depends on the appliance. However, the general theory is that it > watches the bit stream, and sends alerts when it sees suspicious > traffic. Often they also trend traffic and do other spiffy things. > > Before committing to a commercial product, I'd try the free OSS stuff. > > In particular, OSSIM is a very interesting package, though it's more > than just an IDS. It's got an installer that puts Linux on a box and > installs snort, ntop, nagios and a bunch of other software, and wraps > it all up in a pretty web interface. > > I'm trying to find the time (and a spare PC) to dive into it. > > You can install it on one machine (with several NICs), or use it to > install a set of sensors at various points in your network that talk > to a central server that aggregates it. > > The critical things are 1) to get enough box to handle the load, 2) to > place the sensor(s) at points in your network where you're most likely > to see attacks, 3) dial down the alerts so that they fit your > environment. They tend to be really noisy - lots of alerts - until you > get them tuned to only look for things that are relevant to your > environment. For instance, you don't want to see alerts on traffic > that looks like an attack on an Oracle server if you don't have Oracle > in your org. > > And, an IPS is basically an IDS that can operate your firewall on the > fly. They can be as dangerous as combining tequila and handguns, if > you're not extra careful. > > Kurt > > > > > > > > ________________________________ > CONFIDENTIALITY STATEMENT: The information transmitted, or contained or > attached to or with this Notice is intended only for the person or entity to > which it is addressed and may contain Protected Health Information (PHI), > confidential and/or privileged material. Any review, transmission, > dissemination, or other use of, and taking any action in reliance upon this > information by persons or entities other than the intended recipient without > the express written consent of the sender are prohibited. This information > may be protected by the Health Insurance Portability and Accountability Act > of 1996 (HIPAA), and other Federal and Florida laws. Improper or > unauthorized use or disclosure of this information could result in civil > and/or criminal penalties. > Consider the environment. Please don't print this e-mail unless you really > need to. > > This email and any attached files are confidential and intended solely for > the intended recipient(s). If you are not the named recipient you should not > read, distribute, copy or alter this email. Any views or opinions expressed > in this email are those of the author and do not represent those of the > company. Warning: Although precautions have been taken to make sure no > viruses are present in this email, the company cannot accept responsibility > for any loss or damage that arise from the use of this email or attachments. > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
