[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Intrusion Detection recommendations
- Subject: Intrusion Detection recommendations
- From: charles at thefnf.org (Charles N Wyble)
- Date: Sat, 14 Feb 2015 14:03:05 -0600
- In-reply-to: <CAAAwwbVJ1Lo+erzz=Ma_065p1UY-WdkTnitB+uKqo=YCwKw9rA@mail.gmail.com>
- References: <m261b4nazl.wl%[email protected]> <CAAAwwbVJ1Lo+erzz=Ma_065p1UY-WdkTnitB+uKqo=YCwKw9rA@mail.gmail.com>
Checkout security onion. Its got a pretty nice suite of tools and can run a (or many) dedicated sensor system and communicate back to a central system.
As for SSL MITM, see the recent nanog thread for a full layer 2 to layer 8 ramifications of that activity.
For ssh mitm, I don't know of any tools. I'm looking for one.
On February 14, 2015 12:57:29 PM CST, Jimmy Hess <mysidia at gmail.com> wrote:
>On Sat, Feb 14, 2015 at 2:38 AM, Randy Bush <randy at psg.com> wrote:
>
>Bro, SNORT, SGUIL, Tcpdump, and Wireshark are some nice tools.
>
>By itself, a single install of Snort/Bro is not necessarily a complete
>IDS, as it cannot inspect the contents of outgoing SSL sessions, so
>there can still be Javascript/attacks against the browser, or SQL
>injection attempts encapsulated in the encrypted tunnels; I am not
>aware of an open source tool to help you with SSH/SSL interception/SSL
>decryption for implementation of network-based IDS.
>
>You also need a hand-crafted rule for each threat that you want Snort
>to identify...
>Most likely this entails making decisions about what commercial
>ruleset(s) you want to use and then buying the appropriate
>subscriptions.
>
>
>> if you were comfortable enough with freebsd to use it as a firewall,
>you
>> can run your traffic through, or mirror it to, a freebsd box running
>> https://www.bro.org/ or
>> https://www.snort.org/
>> two quite reasonable and powerful open source systems
>>
>> randy
>--
>-JH
>
>!DSPAM:54df9aed198762108866735!
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.