Intrusion Detection recommendations

• Previous message (by thread): Intrusion Detection recommendations
• Next message (by thread): Intrusion Detection recommendations
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Feb 14, 2015 at 10:19 AM, Rich Kulawiec <rsk at gsp.org> wrote:

> On Fri, Feb 13, 2015 at 03:45:30PM -0600, Rafael Possamai wrote:
> > What is the alternative then... Does he have the time to become a BSD
> guru
> > and master ipfw and pf? Probably not feasible with all other job duties,
> > unless he locks himself in his mom's basement for the next 5 years.
>

Are we really talking "ipfw add deny udp from any to any 123 not in via
$lan" where?

Or are we talking "iptables -A INPUT -s 0/0 -p udp -m udp --dport 123 -j
DROP"?

Or maybe we are talking "config firewall local-in-policy \n edit #id \n set
intf ifacename\n set srcaddr any\n set dstaddr any\n set service
previosly_configured_object\n set action deny\n next\n end\n"   ?

Nobody needs to lock himself down on a basement to learn PF or IPFW. While
this might not be true for other firewalling systems, it can't be easier
than it's on BSD.

All it takes is proper networking skills. The tool is just simple to do
what you want to do if you know how you want it (TCP/IP skills, not PF
skills required).

I know this will come a shock, but there are now a plethora of how-to's
> and tutorials and books and FAQs and examples for pf.  Getting from zero
> to a first-order working configuration, especially for someone already
> familiar with FreeBSD (as in this case) should not entail more than a
> couple of days of reading and tinkering.  And it's most definitely not
> necessary to become a BSD guru in order to run:
>

Not to mention PF's documentation, IPFW documentation and Handbook
chapter...


>
>         pfctl -f /etc/pf.conf
>
> Obviously complex use cases will require more understanding, but that's a
> constant regardless of the platform.


Agree, networking skills are required, not PF/IPFW skills as they are easy
and well documented tools. Easier and more performing than most other
firewalling tools and options, or as easy as other easy ones like Cisco ASA.

But back to Andy's original point:

As someone else mentioned before, I dropped Snort in favor of Suricata +
Bro, and they are the tools I would also suggest. Do it FreeBSD + Suricata
and/or Bro.

And remember, IDS is not a service you set up and forget. The most
important point is to learn how to do proper analysis on what you are
seeing and understand volumetric vs unusual single attacks, inspect
payload, L7 content and have a daily analysis cycle if you can't have
dedicated personnel to do that continuosly.

This is not different if you go how brew open source, "packed ready"
 opensource (pfSense) or proprietary / commercial.

I also agree with someone who suggested Bejlich's SIEM (NSM) book, and I
would recommend Shon Harrys, Miller et. al SIEM book as well!

Regards,

• Previous message (by thread): Intrusion Detection recommendations
• Next message (by thread): Intrusion Detection recommendations
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]