Intrusion Detection recommendations

Charles N Wyble charles at thefnf.org
Sat Feb 14 20:03:05 UTC 2015


Checkout security onion. Its got a pretty nice suite of tools and can run a (or many) dedicated sensor system and communicate back to a central system.

As for SSL MITM, see the recent nanog thread for a full layer 2 to layer 8 ramifications of that activity. 

For ssh mitm, I don't know of any tools. I'm looking for one. 

On February 14, 2015 12:57:29 PM CST, Jimmy Hess <mysidia at gmail.com> wrote:
>On Sat, Feb 14, 2015 at 2:38 AM, Randy Bush <randy at psg.com> wrote:
>
>Bro, SNORT, SGUIL, Tcpdump, and Wireshark are some nice tools.
>
>By itself, a single install of Snort/Bro is not necessarily a complete
>IDS,  as it cannot inspect the contents of outgoing SSL sessions,  so
>there can still be Javascript/attacks against the browser, or SQL
>injection attempts encapsulated in the encrypted tunnels;    I am not
>aware of an open source tool to help you with SSH/SSL interception/SSL
>decryption for implementation of  network-based IDS.
>
>You also need a hand-crafted rule for each threat  that you want Snort
>to identify...
>Most likely this entails making decisions about what commercial
>ruleset(s) you want to use and then buying the appropriate
>subscriptions.
>
>
>> if you were comfortable enough with freebsd to use it as a firewall,
>you
>> can run your traffic through, or mirror it to, a freebsd box running
>>    https://www.bro.org/ or
>>    https://www.snort.org/
>> two quite reasonable and powerful open source systems
>>
>> randy
>--
>-JH
>
>!DSPAM:54df9aed198762108866735!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


More information about the NANOG mailing list