Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Any experience with SNORT?

  1. #1
    Junior Member SBerry's Avatar
    Join Date
    Dec 2007
    Posts
    94

    Default Any experience with SNORT?

    Hi Guys,

    Has any member have experience with using snort?

    What was you experience with using it, do you think it is useful and / any good / configuration learning curve.. etc?

    My company has asked me to have a look at it and see if it would have any IDS benefits worth implementing.

    I'm only in from work, just thought i'd get a bit of feed back before I delve in.

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by SBerry View Post
    Hi Guys,

    Has any member have experience with using snort?

    What was you experience with using it, do you think it is useful and / any good / configuration learning curve.. etc?

    My company has asked me to have a look at it and see if it would have any IDS benefits worth implementing.

    I'm only in from work, just thought i'd get a bit of feed back before I delve in.
    I like it. It can be a little difficult to get up and running from the start, but once you get it, it's very useful. I'm currently working on a project where I'm putting remote snort sensors in 5 different sites, they will share the same database at the main site.

    I'm not sure when the new version is due out, but the new version is supposed to be an IPS instead of just an IDS.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by streaker69 View Post
    I like it. It can be a little difficult to get up and running from the start, but once you get it, it's very useful. I'm currently working on a project where I'm putting remote snort sensors in 5 different sites, they will share the same database at the main site.

    I'm not sure when the new version is due out, but the new version is supposed to be an IPS instead of just an IDS.
    Heh, my smoothwall uses snort for ids, that then blocks ip's based on different rules. It decided my dns servers were evil and blocked them. Took me a few minutes to figure out why I could ping my dns servers but not go to Google...
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  4. #4
    Junior Member SBerry's Avatar
    Join Date
    Dec 2007
    Posts
    94

    Default

    Sounds good,

    Just after taking a look at the website. There is plenty of info to get me started.

    You see at the moment the security is adequate, however there is no port security enabled on any of the network switches (Sticky or whatever), the staff are permitted to bring in their own development laptops and connect to the network. There are however, ACL in place to limit inter VLAN comms.

    But just as a logging mechanism to catch any strange happenings, I thought maybe it would be beneficial. Just really want to know is it worth the time and effort setting it up?

    Thanks for the input streaker69

    EDIT: Just cam across this http://www.uno-code.com/?q=node/59

  5. #5
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Barry View Post
    Heh, my smoothwall uses snort for ids, that then blocks ip's based on different rules. It decided my dns servers were evil and blocked them. Took me a few minutes to figure out why I could ping my dns servers but not go to Google...
    DNS is evil. People should be forced to remember websites by IP only.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  6. #6
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by SBerry View Post
    You see at the moment the security is adequate, however there is no port security enabled on any of the network switches (Sticky or whatever), the staff are permitted to bring in their own development laptops and connect to the network. There are however, ACL in place to limit inter VLAN comms.
    Yuck... layer 2 security is IME one of the least defended.

    Quote Originally Posted by streaker69 View Post
    DNS is evil. People should be forced to remember websites by IP only.
    I concur with that 100%

    Also, be sure to use / tweak the Emerging Threats rules.
    dd if=/dev/swc666 of=/dev/wyze

  7. #7
    Good friend of the forums
    Join Date
    Feb 2009
    Posts
    356

    Default

    I use snort too, and agree with the above posts - it's a good IDS, easy to configure, easy to use afterwards. It can be an IPS too, by blocking offending IPs (yeah, of DNS servers to,... but I remember there was a checkbox preventing that somewhere).

  8. #8
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by xorred View Post
    I use snort too, and agree with the above posts - it's a good IDS, easy to configure, easy to use afterwards. It can be an IPS too, by blocking offending IPs (yeah, of DNS servers to,... but I remember there was a checkbox preventing that somewhere).
    Depends on the ips. I had to white list my dns servers, I also had to white list the Intiut servers, all the sudden our financial software wasn't getting updates... oops!
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  9. #9
    Member hawaii67's Avatar
    Join Date
    Feb 2006
    Posts
    318

    Default

    Quote Originally Posted by streaker69 View Post
    I like it. It can be a little difficult to get up and running from the start, but once you get it, it's very useful.
    There's a LiveCD out now:

    Security Onion: The Security Onion LiveCD is now available!

    Check it out.
    Don't eat yellow snow :rolleyes:

  10. #10
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by hawaii67 View Post
    There's a LiveCD out now:

    Security Onion: The Security Onion LiveCD is now available!

    Check it out.
    Maybe it's just me, but I enjoy installing things from source. I've found it the best way to learn.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •