Eagle X IDS

Discussion in 'other firewalls' started by Kerodo, Mar 1, 2005.

Thread Status:
Not open for further replies.
  1. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Has anyone here used Eagle X? If so, any comments on it? Is this something that can be run on a workstation? Or am I missing the point of it altogether? I don't know much about Snort or IDS's...

    http://www.engagesecurity.com/products/eaglex/
     
    Last edited: Mar 1, 2005
  2. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    This seems similar to a program I have used called KFSensor, you might want to look this up in google as it may be a little more user friendly.

    Homepage: http://www.keyfocus.net/kfsensor/

    Jimbob
     
  3. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    It seems like this program is for servers...
     
  4. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    That's the feeling I got too.. I'm afraid to install it. Maybe I'll wait until right before my next reformat before trying it...
     
  5. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Ok, thanks Jimbob. I'll check it out...
     
  6. Arup

    Arup Guest

    Was on the lookout for a IDS system, decided to give Eagle and Protowall a try, both are based on SNORT and therefore would be truly a good solution to my security needs. The problem is that both use Kernel level drivers for packet filtering and are a pain to use, both their drivers refused to install on my Win2K SP4 so the final solution was to use the latest PG2 beta 2 which works flawlessly when properly set up with Block List Manager.
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Thanks for that bit of info Arup. I have Win2k SP4 also, so I won't be installing Eagle X then...
     
  8. Arup

    Arup Guest

    Kerodo,

    If you have a fast connection, give it a try as it is a 15mb download, otherwise stick to Peer Guardian 2 beta 2 with Blocklist Manager. I find Kernel level drivers from non MS sources are always a pain to install.
     
  9. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I don't get it exactly. Why is pg2 with blocklist manager an IDS? Are you just setting up a list of spyware url's to block?
     
  10. Arup

    Arup Guest

    Technically PG is not a IDS, but then the Blocklist is updated frequently and contains a comprehensive list of rogue, Trojan and other undesirables,block all of them and you have yourself a surefire way of snoop prevention. Add Prevx to that list and you have yourself a good solution and that too free.
     
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Yep, I have cable here and have already d/l'd it. I may try it right before my next reformat. Right now though, I'm set for the moment and don't want to disrupt things here. :)
     
  12. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Looks like it's mostly for P2P users who want to block the RIAA and similar "threats" to P2P users.. If you don't use P2P much, then it's usefulness is probably limited. No? ;)
     
  13. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I agree that Peer Guardian is mostly a p2p thing. You can set it up to block http, but a host list could do the same thing and will have all of the spyware sites in it.
     
  14. Arup

    Arup Guest

    PG 2 with all the lists loaded is quite formidable, huge list of ad wares, snoop wares, trojans, .gov as well as other marketing sites are all blocked from snooping in your PC and you get a nice list of the currently blocked IPs.
     
  15. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Well, I finally got around to installing this Eagle X package. The install went fine and everything appears to be working ok. But I must admit that I have no idea what I'm looking at... :) I guess it'll be a learning experience. I'll probably run it for a few days to a week and see what happens. The only downside to it seems to be it's ram usage. Snort itself is using 40 megs of ram, and all items in the package combined use around 71 megs total. Fortunately I have ram to spare, but for some this wouldn't be a workable solution.

    No errors or problems so far though with the install or operation... Looks very configurable and cool.
     
  16. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    K-

    70 mb!

    Why don't you get some junked out P2 and run Smoothwall or something like that on it. Just build a souped up Linux gateway.

    If you can get snort working that is quite a trick. Totally not practical on a home PC, but an achievement none the less.
     
  17. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Yep, snort seemed to work fine. I didn't have to do a thing either. The package installed and set everything up completely. It does seem to be for servers though. I also had Jetico running and began to see weird incoming stuff from my own address to other IPs on port 80 being blocked by JPF. So I'm not sure what the heck I had going there.. :)

    But it was interesting for a few hours. I reformatted tonight and installed Outpost. I'll probably run that for a while now until the next Jetico comes out...
     
  18. Arup

    Arup Guest

  19. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    My goal is to go 6 months on a complete format and windoze install. At about 3 months right now, and not certain it will make it.
     
  20. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Interesting program. I've never seen one like that before...
     
  21. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I have to admit that I'm a bit fanatic about reformatting.. I do it way more than necessary. I like the feeling of having a clean install and not having to worry about any conflicts caused by previous programs installed, and so on. Just recently I started slowing down and now I plan to just do it only when absolutely necessary. But sometimes a program really invades the system (like this Eagle X thing) and so I want to remove all traces of it by reformatting. Hopefully I'll go several months now without doing it again. ;)
     
  22. Arup

    Arup Guest

    Glad you liked the Driver Genius Pro, in case you are a sys admin who has to install many PCs over the network with different h/w configs, it is a true boon.
     
  23. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    HI all!

    Kerodo, what you are seeing with all that traffic from your system, is Snort looking for either MYSQL or an APACHE server. If you turn all that off and place your loopback (127.0.0.1) in the 'whitelist' it should stop doing that. That is a normal response... BTW: I have created two setup docs on how to set up Snort as an IPS/IDS using Snortsam & Snort, without all the overhead at SSC:

    For CHX-I
    http://www.fluxgfx.com/ssc/showthread.php?t=50

    8Signs
    http://www.fluxgfx.com/ssc/showthread.php?t=29

    IMO, it is not necessary to install and utilize Snort if you are not behind a dedicated server. The only reason I use it is to scan and auto-block on my FTP server... But, if you like to check what kind of traffic is being seen going through your NIC, please by all means...

    CU
    Jazzie
     
  24. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Thanks for the explanation Jazzie and the links. That makes a little more sense now. There was both Apache and Mysql installed. I concluded that it was all a little beyond me and that I probably didn't need it, but it's interesting.. :)
     
Thread Status:
Not open for further replies.