Awesome! Thx, I'll DL it Monday and play with it in my copius spare time (which equates to sometime in 2010!)
----- Original Message ----- From: Kurt Buff <[email protected]> To: NT System Admin Issues <[email protected]> Sent: Fri Dec 04 17:13:45 2009 Subject: Re: IDS appliance http://www.alienvault.com/community.php?section=Vmware On Fri, Dec 4, 2009 at 13:21, John Cook <[email protected]> wrote: > Any idea if this will run in a VM? Might be worth looking into. > > > > John W. Cook > > Systems Administrator > > Partnership For Strong Families > > 315 SE 2nd Ave > > Gainesville, Fl 32601 > > Office (352) 393-2741 x320 > > Cell (352) 215-6944 > > Fax (352) 393-2746 > > MCSE, MCTS, MCP+I, A+, N+, VSP4, VTSP4 > > > > From: Andrew S. Baker [mailto:[email protected]] > Sent: Friday, December 04, 2009 3:37 PM > To: NT System Admin Issues > Subject: Re: IDS appliance > > > > +1 > > Get the OSS stuff in there first, and get a handle on what your needs > actually are, then when you find you need something with more features, > you'll be able to articulate and evaluate that more effectively. > > Consider starting with: http://www.untangle.com/ > > ASB (My XeeSM Profile) > Providing Competitive Advantage through Effective IT Leadership > > > > On Fri, Dec 4, 2009 at 1:17 PM, Kurt Buff <[email protected]> wrote: > > On Fri, Dec 4, 2009 at 07:29, John Aldrich <[email protected]> > wrote: >> >> Guys, I was talking to my boss this morning about how we need an IDS >> appliance to help catch malware as it comes in from the web or as it tries >> to “phone home.” Now up until yesterday I though an IDS was just good for >> catching hackers trying to get through our firewall or something like that. >> I’m not that knowledgeable about this sort of thing. How exactly does an IDS >> appliance work? >> >> > > It depends on the appliance. However, the general theory is that it > watches the bit stream, and sends alerts when it sees suspicious > traffic. Often they also trend traffic and do other spiffy things. > > Before committing to a commercial product, I'd try the free OSS stuff. > > In particular, OSSIM is a very interesting package, though it's more > than just an IDS. It's got an installer that puts Linux on a box and > installs snort, ntop, nagios and a bunch of other software, and wraps > it all up in a pretty web interface. > > I'm trying to find the time (and a spare PC) to dive into it. > > You can install it on one machine (with several NICs), or use it to > install a set of sensors at various points in your network that talk > to a central server that aggregates it. > > The critical things are 1) to get enough box to handle the load, 2) to > place the sensor(s) at points in your network where you're most likely > to see attacks, 3) dial down the alerts so that they fit your > environment. They tend to be really noisy - lots of alerts - until you > get them tuned to only look for things that are relevant to your > environment. For instance, you don't want to see alerts on traffic > that looks like an attack on an Oracle server if you don't have Oracle > in your org. > > And, an IPS is basically an IDS that can operate your firewall on the > fly. They can be as dangerous as combining tequila and handguns, if > you're not extra careful. > > Kurt > > > > > > > > ________________________________ > CONFIDENTIALITY STATEMENT: The information transmitted, or contained or > attached to or with this Notice is intended only for the person or entity to > which it is addressed and may contain Protected Health Information (PHI), > confidential and/or privileged material. Any review, transmission, > dissemination, or other use of, and taking any action in reliance upon this > information by persons or entities other than the intended recipient without > the express written consent of the sender are prohibited. This information > may be protected by the Health Insurance Portability and Accountability Act > of 1996 (HIPAA), and other Federal and Florida laws. Improper or > unauthorized use or disclosure of this information could result in civil > and/or criminal penalties. > Consider the environment. Please don't print this e-mail unless you really > need to. > > This email and any attached files are confidential and intended solely for > the intended recipient(s). If you are not the named recipient you should not > read, distribute, copy or alter this email. Any views or opinions expressed > in this email are those of the author and do not represent those of the > company. Warning: Although precautions have been taken to make sure no > viruses are present in this email, the company cannot accept responsibility > for any loss or damage that arise from the use of this email or attachments. > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
