IDS - need a fast basic setup - looking for options

njcwotx · Guru Joined: 25 Feb 2005 Posts: 587 Location: Texas

Hi, I have a requirement to install an IDS at work. We are currently looking at purchasing some solution, but this takes time to weed out what we want and most are very expensive. However, we are under the gun to "get something installed".

I was asked if I could whip up an open source IDS with Snort or equivalent product and have a way of generating reports as a stopgap. I installed Snort long ago and it actually worked. I remember it was fairly chatty and was information overload. I did not get to the point I had a front end to it. So that is a must, I need a manager to be able to look at it and see alerts and get a report.

I could use some suggestions on rigging up a listener and a front end to generate some reports and sift through alerts.

Right now, Snort and barnyard is my first thought, but I don't have a lot of experience with different choices.
_________________
Drinking from the fountain of knowldege.
Sometimes sipping.
Sometimes gulping.
Always thirsting.

massimo · Veteran Joined: 22 Jun 2003 Posts: 1226

Putting Snort's logs in Splunk, ELK or Zenoss might help you generating reports. Alerts can be triggered in Splunk or Zenoss. If you want to spend some extra effort on event correlation you can take a look at SEC. Correlated event can then in turn forwarded to ,e.g., Zenoss again although Zenoss itself is capable of correlating events (to some extent).

Another interesting project on that front (IDS) with a slightly different approach is BRO.
_________________
Hello 911? How are you?

dewke · Posted: Mon May 04, 2015 7:21 pm Post subject: