security onion as IPS system
956 views
Skip to first unread message
Tino Kurth
Mar 2, 2015, 12:03:48 PM3/2/15
to securit...@googlegroups.com
Hello everybody,
I would like the IDS installed as a "security onion" remodel as IPS .
Unfortunately I have not found very much so. Does anyone have a howto for this step ?
The distribution is not supported as IPS .
Many Thanks!
Tino
I would like the IDS installed as a "security onion" remodel as IPS .
Unfortunately I have not found very much so. Does anyone have a howto for this step ?
The distribution is not supported as IPS .
Many Thanks!
Tino
Matt .
Mar 2, 2015, 12:17:23 PM3/2/15
to securit...@googlegroups.com
Did you see the link on the FAQ page?. http://code.google.com/p/security-onion/wiki/FAQ
Pasting relevant entry:
Can Security Onion run in IPS mode?
Running Security Onion as an IPS requires manual configuration and is not supported. I talked about this on the Packet Pushers podcast: http://packetpushers.net/show-95-security-onion-with-doug-burks-or-why-ids-rules-and-ips-drools/
Pasting relevant entry:
Can Security Onion run in IPS mode?
Running Security Onion as an IPS requires manual configuration and is not supported. I talked about this on the Packet Pushers podcast: http://packetpushers.net/show-95-security-onion-with-doug-burks-or-why-ids-rules-and-ips-drools/
Shane Castle
Mar 2, 2015, 3:33:31 PM3/2/15
to securit...@googlegroups.com
Yeah this question comes up about once every month or two.
The few times I tried to run a real NIPS it was a near-disaster. There
are just too many FP opportunities to avoid stepping on someone's
legitimate traffic. IMHO, the only sensible way to try is with HIPS, for
reasons that should be fairly obvious.
OTOH, I did use the snortsam components built into Barnyard and ran a
snortsam listener on the firewall. I set up a snortsam.conf that would
block for custom times, depending on the rule triggered. No, it wouldn't
block the actual packets that triggered the alert, but the block would
usually go into effect less than a minute after the alert happened, and
sometimes within a few seconds. And yes, sometimes they'd be FP and I
had to undo the block, fix the alert trigger, and tell the annoyed user
to try again.
--
Mit besten Grüßen
Shane Castle
The few times I tried to run a real NIPS it was a near-disaster. There
are just too many FP opportunities to avoid stepping on someone's
legitimate traffic. IMHO, the only sensible way to try is with HIPS, for
reasons that should be fairly obvious.
OTOH, I did use the snortsam components built into Barnyard and ran a
snortsam listener on the firewall. I set up a snortsam.conf that would
block for custom times, depending on the rule triggered. No, it wouldn't
block the actual packets that triggered the alert, but the block would
usually go into effect less than a minute after the alert happened, and
sometimes within a few seconds. And yes, sometimes they'd be FP and I
had to undo the block, fix the alert trigger, and tell the annoyed user
to try again.
--
Mit besten Grüßen
Shane Castle
Reply all
Reply to author
Forward
0 new messages