+ Post New Thread
Results 1 to 4 of 4
Enterprise Software Thread, Intrusion Detection Systems in Technical; Anyone here have a functioning IDS setup, or experience you'd be willing to share? I honestly haven't touched this stuff ...
  1. #1
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    806
    Thank Post
    83
    Thanked 132 Times in 115 Posts
    Blog Entries
    8
    Rep Power
    32

    Intrusion Detection Systems

    Anyone here have a functioning IDS setup, or experience you'd be willing to share? I honestly haven't touched this stuff since college, but thought it worth looking into now that things are finally settling down. We really don't have any cash to plunk down on any additional equipment now so I was looking at Snort and OSSEC. Can't seem to decide between Windows or Linux either. I'm no stranger to a Linux CLI (I setup a couple Squid proxies internally here), but already have a few devices running Windows I wanted to utilize. Any thoughts? Thanks guys..

  2. #2


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,648
    Thank Post
    275
    Thanked 780 Times in 607 Posts
    Rep Power
    224
    We use OSSEC (Host-based IDS and log shipping) and have done for a while. It's useful and has highlighted things that we would have otherwise missed in the logs. We monitor Linux, Windows & OS X clients using a Linux OSSEC server.

    It's quite noisy by default, you'll want to set up a couple of guinea pig client servers and run the OSSEC client on them for a couple of weeks so you've an idea of the S/N ratio. Then tune it for things you care about, then add another server.

    On a webserver (for example) it'll tell you about 404s, 503s and alert you beyond a certain rate limit (some herbert running automated scanning for phpmyadmin, for example). It'll also give you the option to respond (Active Response) if criteria you specify are met.

    You can feed OSSEC into the free version of Splunk, the new (beta) version of the OSSEC Webui is a great improvement and/or you could use Analogi. There's another that I'm forgetting too.

    Free tip:

    Rule 102001: Stop DC Logon Spam

    By default, the first time a user logs onto a host, Ossec is configured to send an email, even though it's only a Level* 3 alert (low). In certain circumstances (webserver or fileserver with limited number of authorised users) this is useful. In others (1100 users, 500 hosts, 3 DCs) it's not.

    This rule is set to override the email alert if it receives rule 18119 from a domain controller.
    Code:
    <!-- Stop Windows Server Logon Spam -->
    <group name="local">
    <rule id="102001" level="3">
      <if_sid>18119</if_sid>
      <hostname>DC1.IP.ADD.RESS|DC2.IP.ADD.RESS|DC3.IP.ADD.RESS</hostname>
      <options>no_email_alert</options>
      <description>First time this user logged in this system -- no email</description>
    </rule>
    </group>
    *Levels go from 0 > 15. Level 10 is where OSSEC will (by default) start emailling you.

    0>3 = Successful auth, misc status notifications etc.
    4>9 = Not much to worry about - bad configs, IIS exploit attempted on an Apache server, wrong password etc.
    10 = I am going to start emailing you - i.e multiple failed logins
    12 = Error or warning messages from the system/application.
    13 = As above, but unusual - i.e strange URL request, buffer overflow attempt.
    14 = High importance security event - OSSEC thinks you're being actively attacked.
    15 = The attack was successful.
    Last edited by pete; 1st October 2013 at 05:39 PM.

  3. Thanks to pete from:

    Duke5A (1st October 2013)

  4. #3


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,648
    Thank Post
    275
    Thanked 780 Times in 607 Posts
    Rep Power
    224
    The guys at AlienVault have a working OSSIM VM that includes OSSEC (with lots of other gubbins built in) for testing. (if you can't find something in their Web GUI, you haven't right-clicked enough)

    OSSIM: Open Source SIEM & Open Threat Exchange Projects

    On the above, don't turn on the vulnerability scan without changing the alerting defaults, there's a daft amount of outdated tests and too many false positives.

  5. Thanks to pete from:

    Duke5A (1st October 2013)

  6. #4
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    806
    Thank Post
    83
    Thanked 132 Times in 115 Posts
    Blog Entries
    8
    Rep Power
    32
    @pete: You've given some really good pointers here. I've got a growing list of people I need to buy beer for if I ever get out to that side of the world. Thanks again!

SHARE:
+ Post New Thread

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •