IDS?
-
What is everyone using for IDS? I am working with a co-worker on configuring AlienVault from scratch. I setup all sorts of rules and such. This is definitely a full time job lol.
-
Have not used AlienVault, how do you like it? What version are you using?
-
Are you meaning IDS - Intrusion Detection System?
-
@gjacobse Yes.
-
-
@StrongBad said in IDS?:
Have not used AlienVault, how do you like it? What version are you using?
The full paid version (not opensource) with an appliance and two sensors.
The system itself isn't bad. It definitely has a learning curve, but I believe any IDS is going to have a learning curve. My biggest complaint is the lack of online information. I think alot of people are scared to post what they are doing on their IDS.
Overall I like it, but it has some hiccups. I have only been working with it about 3 weeks now and it has come a long way. I got to use what I learned in CEH to attack our own systems on a daily basis and improve the IDS detection ability.
-
https://mangolassi.it/topic/10086/intrusion-detection-system-experience-snort-or-others
AlienVault uses a snort plugin to capture .pcap files of questionable events.
We were recently able to find and kill a trojan using AlienVault. Sophos did not detect it, but AlienVault did. I opened up the pcap file and wireshark and could see that PC sending out data to Germany on an unusual port number.
-
Our new systems are going to have aide running. Just going to have a cronjob run the aide check every so often.
-
@stacksofplates said in IDS?:
Our new systems are going to have aide running. Just going to have a cronjob run the aide check every so often.
How soon do you want to find out if someone is doing something malicious? Are you alerted every 10 minutes, few hours, days, etc?
Also how long do you keep logs?
These are some of the IDS questions I find very hard to find out any information. Not many are willing to talk about how long they keep they logs, etc.
-
@stacksofplates said in IDS?:
Our new systems are going to have aide running. Just going to have a cronjob run the aide check every so often.
How soon do you want to find out if someone is doing something malicious? Are you alerted every 10 minutes, few hours, days, etc?
Also how long do you keep logs?
These are some of the IDS questions I find very hard to find out any information. Not many are willing to talk about how long they keep they logs, etc.
It's probably going to run every hour. It's an air gapped network. Logs are kept for a year.
-
I've been using AlienVault's OSSIM, basically the open source version. It's been good so far, but I just deployed the agents to each server/workstation and haven't setup any custom rules, so it just uses the rules for currently known threats.
-
@travisdh1 said in IDS?:
I've been using AlienVault's OSSIM, basically the open source version. It's been good so far, but I just deployed the agents to each server/workstation and haven't setup any custom rules, so it just uses the rules for currently known threats.
Do you find the agents useful? I am still testing the agents in a test environment.
-
@travisdh1 said in IDS?:
I've been using AlienVault's OSSIM, basically the open source version. It's been good so far, but I just deployed the agents to each server/workstation and haven't setup any custom rules, so it just uses the rules for currently known threats.
Do you find the agents useful? I am still testing the agents in a test environment.
OSSIM would be useless without them for me, honestly. without custom rules, or some way to get data besides the login, OSSIM is kinda crippled.
-
@travisdh1 said in IDS?:
@travisdh1 said in IDS?:
I've been using AlienVault's OSSIM, basically the open source version. It's been good so far, but I just deployed the agents to each server/workstation and haven't setup any custom rules, so it just uses the rules for currently known threats.
Do you find the agents useful? I am still testing the agents in a test environment.
OSSIM would be useless without them for me, honestly. without custom rules, or some way to get data besides the login, OSSIM is kinda crippled.
You use them for file integrity and registry change reporting, correct?
-
@travisdh1 said in IDS?:
@travisdh1 said in IDS?:
I've been using AlienVault's OSSIM, basically the open source version. It's been good so far, but I just deployed the agents to each server/workstation and haven't setup any custom rules, so it just uses the rules for currently known threats.
Do you find the agents useful? I am still testing the agents in a test environment.
OSSIM would be useless without them for me, honestly. without custom rules, or some way to get data besides the login, OSSIM is kinda crippled.
You use them for file integrity and registry change reporting, correct?
Yes. Mine has an internet connection, so it also gets the latest threat updates from the public pool.
-
@travisdh1 said in IDS?:
@travisdh1 said in IDS?:
@travisdh1 said in IDS?:
I've been using AlienVault's OSSIM, basically the open source version. It's been good so far, but I just deployed the agents to each server/workstation and haven't setup any custom rules, so it just uses the rules for currently known threats.
Do you find the agents useful? I am still testing the agents in a test environment.
OSSIM would be useless without them for me, honestly. without custom rules, or some way to get data besides the login, OSSIM is kinda crippled.
You use them for file integrity and registry change reporting, correct?
Yes. Mine has an internet connection, so it also gets the latest threat updates from the public pool.
You do the updates through SSH, right?
-
Sorry for so many questions. I have never used the open source version.
-
Sorry for so many questions. I have never used the open source version.
No problem. I'm not responding as fast anymore because some imaging jobs finished.
@travisdh1 said in IDS?:
@travisdh1 said in IDS?:
@travisdh1 said in IDS?:
I've been using AlienVault's OSSIM, basically the open source version. It's been good so far, but I just deployed the agents to each server/workstation and haven't setup any custom rules, so it just uses the rules for currently known threats.
Do you find the agents useful? I am still testing the agents in a test environment.
OSSIM would be useless without them for me, honestly. without custom rules, or some way to get data besides the login, OSSIM is kinda crippled.
You use them for file integrity and registry change reporting, correct?
Yes. Mine has an internet connection, so it also gets the latest threat updates from the public pool.
You do the updates through SSH, right?
Yep. You just might get introduced to my basic update script on the 16th.