Jul 2

Snort Rocks!

Category: InfoSec

Ok, its been ages since I actually had snort up and running, so long in fact that the last time I used it, ACID was still the best way to deal with the alerts! Well after a couple of days (well a couple of hours here and there at least) I have a fully functional set of snort sensors in place on public and private segments of my networks, all feeding to a centralised database with “BASE” handling the analysis! woohoo. small victories are the best!

I can definatley say its come a long way. It was much easier to install, and only took a small amount of syntax debugging to figure out the configs. During my research / re-learning curve though it would seem that version 2.8 with the stream5 processor is not as good as version 2.4 with the flow processor at detecting portscans. This was certainley the concensus of the community, and after a bit of playing I can agree. However, I now have sfPortscan running with stream5 and its seems pretty accurate to me, so I am certainly happy with the results.

BASE is also a welcome move onwards from what used to be a very clunky interface. It seems light and intuitive, with decent features. I think it could do with the addition of some basic graphs, rather than having to use the graph engine to define your graphs each time, but on the whole i think it is certainly a good alternative to spending a large amount of money on a commercial product. Certainly the ability to abstract the managemnet interface, data storage and sensors from each other gives you a highly scaleable model to use a basis for a large scale deployment.

Of course, if you don’t fancy the pain of compiling code from scratch, or your just dam lazy, check out EasyIDS for a complete “IDS in a box” that gives you everything I just said with none of the hastle!

….You just can’t ingore the momentum that opensource has gained 😉

2 comments

2 Comments so far

  1. Neil October 25th, 2008 2:06 am

    I can confirm SNORT’s a great piece of kit, particularly if you use port mirroring in which case you could run in stealth mode.

    The only issue I had was configuring all of the rules, which can be overcome using a third party piece of software like Activeworx Enterprise ( http://www.activeworx.com ). This also gives you a landscape view of your network, similar to any NMS system. The price tags not alot and if budgets don’t allow you to purcahse it just yet, at least use their trial to help you set up the kit.

    In my oppinion, SNORT combined with third party software is nearly as good as other products like Cisco MARS ( http://www.cisco.com/en/US/products/ps6241/ ). I’ve been playing with this product for a while now and the biggest difference is the ability for it to update rules upon routers and firewalls (IDS/IPS all in one) if the IDS tripwires are triggered. Now SNORT will do things like TCP resets, but in this day and age these can be overcome. Cisco MARS has been tested by many of my professional friends and they can’t break it. I would suggest asking Cisco to loan you some kit and try attacking it yourself, see whether you can break it!

    Going back to SNORT though, because it’s free there shouldn’t be any excuse for not using it. Forensically, it could be the missing piece in the puzzle.

  2. Jabs November 26th, 2008 8:32 pm

    “The only issue I had was configuring all of the rules”…. Neil, I think you some up the issue quite clearly with that one point. Some would in fact ague that IDS solutions died because of that exact problem, others of course would argue that in the right hands, its a powerful view of your network.

Leave a comment