Need help/info

I work for a small company with a hub/spoke network. I've been tasked with setting up an IDS(Snort) to begin monitoring security related events and basically build out a security program/infrastructure.  Do any of you have any good sites/forums that go into the process of intrusion detection. I can get the alerts from snort but there are so many that it it's hard to make heads or tails. I'm looking for ideas on what to look for and what to pay specific attention to.  Also any good websites that alert/explain new vulnerabilities would be great. Any help would be appreciated.

On Wed, May 20, 2009 at 11:25 PM, ubernewbie <duppyconqueror33@...> wrote:
>
> I work for a small company with a hub/spoke network. I've been tasked with
> setting up an IDS(Snort) to begin monitoring security related events and
> basically build out a security program/infrastructure.  Do any of you have
> any good sites/forums that go into the process of intrusion detection.
<snip>

Well... I would first of all ask onsite help from someone who is more
experienced than this.

For a general "what is snort" article, see
http://en.wikipedia.org/wiki/Snort_(software)

For documentation on specific setups etc see http://www.snort.org/docs/

But, this is not just a point-and-click product, you need to
understand exactly what you're trying to achieve, what the threats are
and what your response will be when you get an alert...

Cheers

-A

All of the information you need is available on the web.  Just google
your way through this.  At the end of it all you should be pretty well
versed in Snort and associated tasks (sensor placement etc.).

Have fun with it.  I'm a little envious that you get to do this
security build out from scratch.  I have resorted to deploying Snort
on my home network to get that experience.  If you aren't set on an
analysis front end yet I suggest Sguil, of which I am a big fan.

Steve Mullins

On Wed, May 20, 2009 at 6:25 PM, ubernewbie <duppyconqueror33@...> wrote:

On Wed, May 20, 2009 at 6:25 PM, ubernewbie <duppyconqueror33@...> wrote:
>
> I work for a small company with a hub/spoke network. I've been tasked with
> setting up an IDS(Snort) to begin monitoring security related events and
> basically build out a security program/infrastructure.  Do any of you have
> any good sites/forums that go into the process of intrusion detection. I can
> get the alerts from snort but there are so many that it it's hard to make
> heads or tails. I'm looking for ideas on what to look for and what to pay
> specific attention to.  Also any good websites that alert/explain new
> vulnerabilities would be great. Any help would be appreciated.

Hello,

If you're looking for a good book or two, my Tao and Extrusion books will help:

http://www.taosecurity.com/books.html

If you're looking for blogging on the subject, try my blog:

http://taosecurity.blogspot.com

I also wrote a series for TechTarget called Snort Report:

http://searchsecuritychannel.techtarget.com/tips/index/0,289482,sid97_tax307691,00.html

If you're looking for a good Wiki, try:

http://nsmwiki.org

If you're looking for the best suite for network security monitoring, try:

http://www.sguil.net

Good luck!

Richard

I might suggest the Snort Mailing lists, available via Snort.org
I might also suggest the forums, available at Snort.org.
Furthermore I might also suggest the IRC channel on irc.freenode.net in #snort

J

On Wed, May 20, 2009 at 6:25 PM, ubernewbie <duppyconqueror33@...> wrote:


--
joel esler | Sourcefire

Might I recommend a book? "The TAO of Network Security Monitoring" by  
Richard Bejtlich has been a great book for me. He is a big user of  
squil (pronounced SQUEAL) and other tools using FreeBSD and open  
source tools. I did an interview with a him a while back and then  
later read his book:

http://feeds.apertamedia.com/~r/SitesCollide/~5/1C9nKjkWUvI/scr006.mp3

THe book is ISBN 0-321-24677-2
Hope that helps, enjoy!

Tyrel McMahan
tyrel@...
+48.697.770.444 (Warsaw, PL)

gpg Public Key:
555E C4FB 43C1 EDB5 A71F  9619 EB02 3E62 DEEE 7418






On 2009-05-23, at 21:12, Stephen Mullins wrote:

Another great book on Snort and Ethereal is "Hack the Stack".  It is  
from a whitehat/CEH perspective.



On May 25, 2009, at 11:01 AM, "Stephen Mullins" <steve.mullins.work@...
 > wrote:

Hi,

It is the same for me. I need to plan and deploy an IPS/IDS system for our hup-spoke sites.
But I think I may not spend any time with self installed free product.
Till I setup basic things required for IPS:
- Event Correlation
- Alert Setup
- Some/default Reports
- Automatic updates (1. Signature database updates. 2. OS updates)
- Secured/Taskspecific OS (Only required packages should be installed)
- Manageability (example GUI, User management)
- Predefined backup and restore functions
- Automatic Log Archiving (the space is always little)
- High Availability, if required
- ...

In your case as well, I think it is too much expectation from a Security engineer without experience or the impact of using an IPS seems to be low /it is definitely not business critical/.

Huh, that sound a little bit negative, but I want to help! :-)
I am in the same situation, as I mentioned.
There should be in the near of your site a company with IT security services.
What I plan for my company -as I did that once- is that, I will ask for trial products and some introduction with allocated engineer for a day.
As I experienced such companies can give you the box (Cisco IPS, Checkpoint, Juniper, Sourcefire, whatever box) for a couple of days if they feel the smell of business :-).
Whatever they feel, it is like a car, if you don't like you will leave it.

So first of all, think it over what you need in future and what you have to monitor.
- Topology of your company
- Bandwidth of the sites
- Have you sensitive hosts or servers on all sites?
- Have you sensitive applications on all sites?
- How many internet gateways you have? Have you that on all sites?
- etc...

Hope you can find something useful in my answer. If not maybe this one can help to start your journey in the world of snort:
http://www.vmware.com/appliances/directory/185
http://www.vmware.com/appliances/directory/1310

Cheers,
Akos

-----Ursprüngliche Nachricht-----
Von: listbounce@... [mailto:listbounce@...] Im Auftrag von Joel Esler
Gesendet: Montag, 25. Mai 2009 21:57
An: ubernewbie
Cc: focus-ids@...
Betreff: Re: Need help/info

I might suggest the Snort Mailing lists, available via Snort.org
I might also suggest the forums, available at Snort.org.
Furthermore I might also suggest the IRC channel on irc.freenode.net in #snort

J

On Wed, May 20, 2009 at 6:25 PM, ubernewbie <duppyconqueror33@...> wrote:


--
joel esler | Sourcefire

These are definitely great books.  I recommend every shop I'm in keep
copies on the shelves as references and for Jr. Analysts or those that
don't come from a Network Security Monitoring background.  Nowhere
else that I'm aware of really spells out what NSM is and how to do it
right like Bejtlich's Tao.

Steve Mullins

On Mon, May 25, 2009 at 2:27 PM, Richard Bejtlich <taosecurity@...> wrote: