Discussion on:

Detect intruders on your network with snort

Get out of my head!!

hehe.. I was just adding snort to my systems at home. This is going directly to PDF for reference after the work day ends.

(The author should really be the one to start the forum after each of there articles but since they didn't; First Post!)

If only it was that easy. Setting it up as an IDS is full of fun anomalies and many web searches. Then you have to tune it down to make the logs manageable on a busy network.

It is a great tools once you get it working though.

attach it to a port mirrored on the gateway port?

it "should" have the option to mirror everything to that port.

ISP connection hits firewall, snort, AV and other detection services in series before it hits the switch appliance.

It's another option anyhow.

snort will use every bit of memory you have. There is an option(don't ask me where), to run at a minimum... I had to do that, it would not start because it required so much memory. There are a boat load of rule files, which most I wanted to use... Those suckers will load into me memory to be real time, thus..

Also, be ready to spend the first week tweaking what you want to appear in your logs... I had a partition fill up because of log's.... That sucker blew chunks all over.

This machien was a 1.8 amd with a gig of memory, freebsd 6.1 I think.

I am not trying to talk anyone out of using snort, trust me. What I am trying to do is warn you that you must spend time fine tuning it...

Be ready for the following:
1). Decide what rules you want to load... And you have a bunch of choices.
2). Be ready to fine tune how much resources this will use.
3). Be ready to fine tune what you want to appear in your logs.
*** This can be broken down to individual rules... And there are thousand of rules.
4). Be ready to take the time to review these logs and tune it further.

I am NOT trying to talk anyone out of using snort. I am trying to WARN you that it requires work. It is not a ready, lock and load application.

I decided not to use it(actually, I was just lazy). I will probably go back to it, but I will be much more carefull this time around...

Dan

sguil. It took a lot to get running, but is the greatest tool I have ever used. We use snort and sguil and have great visibility of our network.

I think that retail cashier computers run Windows in the CPU from a BIOS taskbar at a very high clock speed.They access or log on to the Government Torrent network.Hackers use this method along with virus to invade systems.Stolen computers or fraudulent retail stores.

to XSS. P4P will give the Government even More Control.

Can anybody recommend a tool that will parse these logs into something human readable? Perhaps a webpage like Nagios / Webmin / Splunk / Spiceworks? It would be nice to be able to view and sort the resulting logs to get a better idea of what's going on.

Razorback is a minimalistic GUI for snort logs. Not very useful, tho.

There's supposed to be some kind of web interface, IIRC, but I could never get it working.

I concur with the opinion snort is a lot of work. I add the latest rules are not free, you have to subscribe, or wait a month or so to get the latest. This might be a show stopper depending on your needs.

And snort will indeed suck up your available memory. All these factors are why I haven't used snort in a couple of years now. If I were going to use it I would feel compelled to subscribe.

I use Base /ACID to view the logs. Its a fairly basic Web interface, but it gives me all the information I need.

Wish there were an equivalent application that ordinary people could learn how to download and use.

why used in snort?