IDS (network based rules with signatures)

Discussion in 'privacy technology' started by Infinity, Aug 8, 2006.

Thread Status:
Not open for further replies.
  1. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    http://rusecure.rutgers.edu/add_sec_meas/intrusion_detection_sys.php

    This is by far the best side about all this HIPS/IDS/ ..

    my point of view is that GSS/SSM/PG falls under unother term then HIPS/IDS/IPS ...

    :) Big edit: I meant htis part of the rest of this rather biased opinion ... ;)

     
    Last edited: Aug 8, 2006
  2. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    They never were too secure about their systems. Lack of mandatory firewalls on student comps, etc. At least now they're introducing more measures such as IDS. Maybe even SNORT?
     
  3. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    so you don't think that homebased ids is an unnessecairy item ...
    I think that it can come in handy :) infact, it was mainly used for companies .. and some firewalls do have it,Kerio and Tiny FW (probably a lot more fw's have an ids with rules for certain trojans ..)

    Kerio's rules NEVER EVER UPDATES (Kerio is now overtaken by Sunblet) and Tiny2005 had a very very good one imho (but no import has ever finalised as it should) .. decided to drop it .. cause at the end they aborted it too :D and to use it at that time .. waaay :blink: to much Hassle

    Snort (when I tried to use it , I believe it was still the early stages .. lot's of manual import of data (and not that good documentation at all not on all ;) subjects .. and buggy (tried to implement into some fw's but went back..)

    bw,
     
  4. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    Well, of course. I practice being paranoid.

    And I have a home network. But even if I didn't, I would probably still use SNORT rules on my router.

    And HIPS is just an IDS for a personal computer if I'm not mistaken.

    I don't think SNORT is buggy, or early stages. It's a pretty throughly tested product. Having it on a Linux system to scan incoming traffic will definitely produce a lot of logs, but once set up correctly, it's pretty good in securing a network. Shouldn't depend on it, but it's a nice extra layer IMO. And the logging is great for sysadmin. False positives once inawhile, but they haven't been annoying to a point where I've just given up on it. I admit, it requires a lot of tweaking.
     
  5. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    I meant it was buggy a couple of years ago, when I tried it .. and certainly it wasn't what it is now imho ..

    another thing I would like to mention, I don't (never had btw) used it as a 'stand alone' extra layer of protection but used it when I imported (tried to import with Tiny/Kerio and it never worked .. that importing into firewall ..
    So I searched for a FW with a 'built-in' IDS and came to the conclusion that only Tiny and Kerio used one .. and afaik it was Tiny that updated it the most .. but that was because all their energy went into making Tiny easier to live with :)

    Snort works very good with Linux and in fact and truely think that it is the whole idea after all .. in conjunction with Linux-based rigs (which I am not, still I like the "security aspects" of a Windows machine ;)
     
  6. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    That is true. I have not found one good instance of a good SNORT implementation with a Windows machine. If there was one, I'd love to know about it. Kerio, I've had on my machine but not for long due to some incompaitibilities, and Tiny was always too expensive for my budget.

    Blackice also had a IDS function, but I never really did like that firewall.

    I'm starting to think the best way to secure a Windows machine is to put it behind a linux based router. :T
     
  7. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Hi Sosaiso,

    Honestly, you're not the first thinking this (and doing it also) .. I believe there were/are some members with an old(fashioned), merely working PC or some oldtimer laptop ... he uses it with IPTABLES (I've heard some very nice things about this apparently realy great firewall for Linux I believe) now my question, cause I am a bit of an monkey from another galaxy when it comes down to Linux .. but if it would be possible to use Snort and IPTables together or imported.

    Truth is: I don't know much about Snort anymore, Linux neither and DOS I had to learn on my own cause when I got into this all, DOS was already 'oldfashioned' .. could be oldfashioned .. but one of the strongest and most reliable tools .. even on my xp :) lol I love my windows XP too much, maybe I'll install some lifeCD one day .. nothing to hurry though, just formatted and starting from scratch, and that's something I really really like!

    best wishes,
     
  8. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    Ah, I am probably the same as you Infinity! I merely started looking into Linux and its security offerings perhaps a month ago.

    As far as I know, SNORT and IPtables are two very different things. SNORT is an IDS, based off signatures and what not, and IPtables is the firewall. IPtables, from what I know, is built in within the kernel, and SNORT is just another package that you can add from the repositories.

    DOS was always annoying to me because it was dumb. Dumb as in it had limited functionality. I've started to learn bash lately, [experimenting for a transition to linux on my desktop], and bash is smart. The functions on that thing could blow my mind.

    As for installing, liveCDs allow you to experiment without installing, which is the brilliance of the concept, but I guess you should take things slowly. I started the transition with just using opensource. Then I started reading more and more about it, and got far too excited. But I diverge from the topic.

    As for having an old pc as a router, I don't know if I'm one of those. From my very limited experience [making only two linux routers myself], I have put at least a 800 mhz pc to the task. There was something about lower grade processors being able to process the same load, but I didn't want that to impact my internet speed.
     
Loading...
Thread Status:
Not open for further replies.