View previous topic :: View next topic |
Author |
Message |
njcwotx Guru
Joined: 25 Feb 2005 Posts: 587 Location: Texas
|
Posted: Thu Apr 30, 2015 8:17 pm Post subject: IDS - need a fast basic setup - looking for options |
|
|
Hi, I have a requirement to install an IDS at work. We are currently looking at purchasing some solution, but this takes time to weed out what we want and most are very expensive. However, we are under the gun to "get something installed".
I was asked if I could whip up an open source IDS with Snort or equivalent product and have a way of generating reports as a stopgap. I installed Snort long ago and it actually worked. I remember it was fairly chatty and was information overload. I did not get to the point I had a front end to it. So that is a must, I need a manager to be able to look at it and see alerts and get a report.
I could use some suggestions on rigging up a listener and a front end to generate some reports and sift through alerts.
Right now, Snort and barnyard is my first thought, but I don't have a lot of experience with different choices. _________________ Drinking from the fountain of knowldege.
Sometimes sipping.
Sometimes gulping.
Always thirsting. |
|
Back to top |
|
|
massimo Veteran
Joined: 22 Jun 2003 Posts: 1226
|
Posted: Mon May 04, 2015 7:11 am Post subject: |
|
|
Putting Snort's logs in Splunk, ELK or Zenoss might help you generating reports. Alerts can be triggered in Splunk or Zenoss. If you want to spend some extra effort on event correlation you can take a look at SEC. Correlated event can then in turn forwarded to ,e.g., Zenoss again although Zenoss itself is capable of correlating events (to some extent).
Another interesting project on that front (IDS) with a slightly different approach is BRO. _________________ Hello 911? How are you? |
|
Back to top |
|
|
dewke Tux's lil' helper
Joined: 01 Jun 2004 Posts: 77 Location: The sunshine state
|
Posted: Mon May 04, 2015 7:21 pm Post subject: |
|
|
massimo wrote: | Putting Snort's logs in Splunk, ELK or Zenoss might help you generating reports. Alerts can be triggered in Splunk or Zenoss. If you want to spend some extra effort on event correlation you can take a look at SEC. Correlated event can then in turn forwarded to ,e.g., Zenoss again although Zenoss itself is capable of correlating events (to some extent).
Another interesting project on that front (IDS) with a slightly different approach is BRO. |
I deployed splunk at my last job. It's a great product if you have the budget for it. _________________ Oderint dum metuant
-Caligula |
|
Back to top |
|
|
|