[ previous ] [ next ] [ threads ]
 From:  "Lew Maggio" <lew at lsfc dot org>
 To:  "Ziekke" <ziekke at ziekke dot net>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] snort or IDS
 Date:  Mon, 25 Oct 2004 09:03:10 -0500
This to me makes a little more sense, because in this method the IDS
system is used to block attacks, which is nice.  I would like to do
something on my PPTP server that blocks an IP after 100 unsuccessful
login attempts.  This may occasionally block legitimate traffic but a
brute force attack will probably have 100 unsuccessful logins in less
than 10 seconds.  This is just one example of the malicious activities I
want to block.  Now a good IDS/IPS may not even block that particular
attack, but I want to block things LIKE that.  It's the stuff that you
don't anticipate that always gets you.

So I think my next move is to pick up a book on snort, there seem to be
several of them, and just make myself an expert on the subject.

It sure beats buying a $20,000 cisco IDS appliance.

-----Original Message-----
From: Ziekke [mailto:ziekke at ziekke dot net] 
Sent: Monday, October 25, 2004 8:03 AM
To: forums
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] snort or IDS

If you only want to see the intrusion successes and not the intrusion 
attempts, then you want your IDS inside your network. But that isn't 
going to work properly.

You're right that an IDS probably shuoldn't run on the firewall, but 
they are *supposed* to be inline outside your router. You can't detect 
intrusions on the inside the same as the outside. Take port scanning for

instance. You want the IDS to detect the port scan and the create a rule

on the fly to block that IP address from the system. Or alert you so 
that you can do so if necessary.

The best way to do this is get a system built as an IDS, hook it up to a

hub, or managed switch so you can do some port mirroring, on the WAN 
side. Use some cat5 with the Tx pairs clipped so that the box is only 
capable of receiving traffic.

Now you have an undetectable IDS that will alert you properly of attacks

on your system. It will do so via another network card that is jacked 
internaly to a machine, or the network. It's obviously not going to be 
able to do anything with the connection outside the WAN with no IP 
address :)

I personally wouldn't mind having my firewall running Snort, or an IDS 
as it saves me all that work. Also it would facilitate automatic 
blocking of IP addresses on the m0n0wall, which you couldn't really have

without it built-in.

To have an IDS is to get alerts, so if you don't like getting alerts, 
don't run an IDS.

forums wrote:
> Personally I wouldn't run Snort on the firewall.  I believe the best
> thing to do if you have the extra hardware is to run Snort
> inline/network based (after the m0n0wall - LAN side) if you run Snort
> before (WAN side) or on the m0n0wall you will probably have too many
> alerts to deal with...eventually leading to frustration and a lack of
> maintenance and tuning of your rules.  Having the IDS after the
> will detect any malicious traffic passing through your m0n0wall, as
> as your rules are up to date - just like virus definitions.
> Remember the IDS is just that a detection system NOT a prevention
> system.
> -Puma
> -----Original Message-----
> From: Lew Maggio [mailto:lew at lsfc dot org] 
> Sent: Monday, October 25, 2004 12:41 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] snort or IDS
> I need to implement an IDS system soon, and I would prefer to use
> because it seems to be the most respected and most common.  Has
> built monowall with snort integrated?
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch