[TCLUG] RE: [TCLUG:22365] Hacked

Sun Oct 8 17:10:36 CDT 2000

I had a demo copy of NFR awhile back.  Unfortunately, they sent me some beta
version which wasn't supposed to be released and it kept crashing.  Their
sales reps took 3 months to call me back and by that time I had already
implemented snort.  We also looked at Cisco's IDS.  One thing I noticed is
that updates for attack signatures only come every couple of months on the
commercial stuff.  With snort, updates happen hourly (a new visions.conf is
generated each hour on whitehats.com).

The nice thing about NFR and Cisco's thing is it's pretty much already
configured and ready to go.  Snort requires alot of screwing around to get
alerting and reporting working as you'd like it to.  However, the beta
version of snort has mysql support and there is a nifty web based frontend
for doing reporting somewhere on CERT's website.  

Pricing on NFR was around $30,000 per license, and pricing on Cisco's was
even more because you needed a "probe" box and you also needed the reporting
box.  

At cs.umn.edu, were you only sniffing traffic going to/from your border
router(s), or were you sniffing *ALL* internal traffic?  

I haven't really devised a way to sniff all of our internal traffic since
there's WAY over 1000Mbit/sec of traffic going on on any of our VLAN's at
any one time.  Since over 70% of all compromises come from employees, it
would be better to have it on the inside networks, but I guess that's what
gratuitous use of firewalls is for.  :)

Jay

-----Original Message-----
From: Scott Dier [mailto:dieman at ringworld.org]
Sent: Sunday, October 08, 2000 4:58 PM
To: 'tclug-list at mn-linux.org'
Subject: Re: [TCLUG:22365] Hacked

* Austad, Jay <austad at marketwatch.com> [001008 16:24]:
> If you're feeling really adventurous, set up snort
> (http://www.whitehats.com/ids).  This will give you a good idea of whose
> banging on your door.  It's funny to see people running windows exploits

On the flipside, if you have (tens of) thousands to throw away, check
out NFR and anzen flightjacket.  Yeah, its a windows frontend, but the
backend is openbsd, and its helped us *immensely* at cs.umn.edu in
finding out whats going on with 'strange' traffic, or other such
problems.

-- 
Scott Dier <dieman at ringworld.org> #nicnac at efnet 
http://www.ringworld.org/  finger:dieman at destiny.ringworld.org

<CmdrTaco:#kuro5hin> SLSAHDOT IS ALWAYS NEWS FOR NERDS.

---------------------------------------------------------------------
To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org
For additional commands, e-mail: tclug-list-help at mn-linux.org