 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Chris O'Connell wrote: > Or do you just mean you want to use Snort to listen to traffic on > said router by installing it on a separate computer? I was hoping to hear more about how this might be possible at the talk. You mentioned "sensors", but that seemed to be shorthand for a commercial appliance with physical network connections, not a chunk of software that can be put on a router. So I'm still wondering if Snort supports a "client-server" like model where pcap runs on a monitoring point and streams the data to an analysis server elsewhere. Another option to consider would be placing a Snort monitoring appliance on the WAN side of the router (connected via a hub or using port mirroring, as mentioned in the talk). This could potentially be implemented using inexpensive hardware, like another consumer router. (Something with a bit of power, like the previously mentioned ASUS RT-N16.) It could even use an attached USB disk for storage. This way if Snort gets bogged down, it won't impact your network speed. But sticking another box outside your firewall has just doubled the number of machines you need to secure. And having a machine that captures network statistics and interesting packets (potentially containing plain text passwords, etc.) makes it a useful target for a hacker. Plus, this setup doesn't tell you what has made it past your firewall, which is the whole point to intrusion detection. (And it wouldn't be wise to make one Snort appliance do double duty by monitoring packets both inside and outside the firewall. You've now created a convenient bridge if the appliance gets breached. So that means having yet another appliance.) In other matters, I'm curious to know what alternatives to Snort you evaluated, if any. On the host intrusion detection side of things I've had success with Integrit (a file hash comparison tool equivalent to Tripwire; custom configured to issue delta reports, rather than accumulating all anomalies until the operator regenerates the database) and logwatch (log monitoring tool). Both use email as the primary communication channel. Both require a fair bit of customization and configuration to make them minimally noisy. (A noisy monitoring tool quickly gets ignored.) -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
