Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Not sure if this is possible, but our hardware IDP is on it's last leg and I am noticing a lot of denial of service attacks getting through. I am wondering if there is a linux app out there that will do the job just as well (if not better)? Basically the connection goes from a router to the IDP, then the load balancer finally to the webservers.
I am wondering if I can put a linux box with 2 nic's in place of the IDP running something to do the same job. I have heard a bit about snort and started some reading but before I go down the wrong road, someone might have some feedback on what could or could not do the same functionality.
The IDP does have a nice web interface, daily/weekly updates so we are looking for a real "commercial" type app for production use, so again, any feedback or suggestions are appreciated.
i think you're heading the right way : snort.
its the basis of some commercial IDS/IDP/IPS system out there.
but if you are looking for snort-based IPS with that nice web-console - probably this strataguard free you might want to give a shot - there is a commercial version also.
it needs 3 NICs : 2 for inline traffic - and 1 for sensor management.
very nice web-GUI and logging, but it does need a powerful machine to run.
Snort the de facto standard, along with SnortSam (http://snortsam.net) makes the perfect Open Source-Free Software IDS/IPS solution.
Good Luck,
Angel
I coulda sworn he wanted something commercial-like (pretty GUI and such). I would've suggested BASE or OSSIM, but those take quite a bit of work to set up, so I didn't think that was what he was looking for. Snort itself (and even with SnortSam) doesn't come with a user interface...its all command-line.
OSSIM, yes - you've brought up a nice new tool here - i've forgot about that, indeed it has nice GUI - but i havent got the chance to explore it. nice thing.
Quote:
Snort itself (and even with SnortSam) doesn't come with a user interface...its all command-line.
yes, snort & snortsam is a CLI-based apps - but there is a 3rd party sensor management called IDSManager (if i'm not mistaken) - i've used that couple years ago. It has those capabilities of placing rules, creating rules, triggers updates etc - and of course we must build the sensor first .
I'll be more than happy for you to tell us how you liked it!
pros/cons
cheers.
Angel
It appears to be a Win32-based tool. That's a deal-breaker for me...it either has to be cross-platform or Linux-compatible for me to use it. I'm not even gonna test it at this point. I've Windows machines but they're for gaming only (my security systems are *nix).
It appears to be a Win32-based tool. That's a deal-breaker for me...it either has to be cross-platform or Linux-compatible for me to use it.
It seems to be able to connect to Snort in Linux, not necessarily Snort running in windows, I do not know if you notice that, but indeed it seems that there is no Linux version.
It seems to be able to connect to Snort in Linux, not necessarily Snort running in windows, I do not know if you notice that, but indeed it seems that there is no Linux version.
Angel
I definitely noticed. Its a manager that runs within Windows that can connect to Snort devices running on any OS. The big red flag for me is that the manager itself is Windows-based only. I don't want to manage any devices from Windows unless I absolutely have to.
Also, it only manages sensors...it doesn't appear that you can conduct security analytics from that manager. The OP is looking for something to replace his IDP, not manage existing sensors. Additionally, IDSManager is a policy manager only (with an option to restart sensors, which is requirement after adding/editing rules)...its not really going to help the OP. I'm assuming that the OP does look at the IDP's security logs (if he isn't, he SHOULD be...one should never just assume that an IPSD is working correctly 100% of the time).
The big red flag for me is that the manager itself is Windows-based only.
ya, but for the replacement - you can try using snort webmin module
written by Mike Baptiste.
Quote:
The OP is looking for something to replace his IDP, not manage existing sensors.
there are things in IDS/IPS deployment called sensors and manager. the best practice is you should not mixed them both since it can degrade your sensors performance. you can have as many sensor using 1 single manager to control them - so providing a single policy management.
@ netmann,
ipcop - or astaro - or pf - or untangle and things like those, eventhough they have IDS/IPS capability - they are not a pure IDS/IPS - they are network firewalls (with other routing functionality like NAT/PAT). mostly people using pure IDS/IPS appliance is that they can have this inline bridging setting so they (the sensors) are not altering (like modified by NAT) any traffic goes to any destination (lets say : from client to servers), and not utilizing some kind of NAT - thus not modifying any network topology/scenario.
ya, but for the replacement - you can try using snort webmin module
written by Mike Baptiste.
I use that to manage one of my servers. Again, it only manages the IDPS policy, not manage the security events that it logs. I don't think this is what the OP wants (based on what he initially posted). That plugin is also very old and is now unsupported. I had to hack it to get it to work. While the plugin works and offers basic functionality, its definitely nothing like Snortcenter (or even IDSManager).
Quote:
there are things in IDS/IPS deployment called sensors and manager. the best practice is you should not mixed them both since it can degrade your sensors performance. you can have as many sensor using 1 single manager to control them - so providing a single policy management.
I'm aware of this (I'm a security consultant by trade and have built IDSs from the ground up for use in corporate networks). This is not what the OP is asking for. He said he had a bad security device and needed a replacement. The way I read it was that he needed something that he could quickly utilize as a replacement. You can't just grab a Snort box and replace an IDP. YOu have to factor in routing and bridging. A gateway OS will function better than a raw instance of a snort-inline implementation, as the gateway OS will more than likely already be optimized to pass/deny/route traffic in the IPS sense.
Commercial IDPs are considered sensors, not managers, although there are mangers that manage many IDPs (Checkpoint's Provider-1, Netscreen's NSM...these are called supermanagers or containers). A commercial manager is a dedicated machine, as is the sensor itself. Commercial IDPs also have their own mgt interfaces. Managers and mgt interfaces are two separate terms.
There's not many equivalents of these products in the opensource world. These are usually much more robust that what I normally see in the opensource world, making it difficult for the opensource world to be able to compete.
IMO, the gateway OSs (Astaro and such) may not compare as well as some of the other commercial solutions but the saving grace of opensource is that someone can usually tool with a gateway OS to get the results that they want. I've seen more than one company take BASE and add some very cool functionality that the developers hadn't thought of.
Lastly, if the OP's IDP is something akin to a Netscreen or Tippingpoint, he's more than likely looking for a similar solution as a replacement. For some reason, I'm thinking that if he's asking for a similar setup (intuitive GUI), he's NOT going to know how to deploy a snort sensor in inline mode and be able to do everything via CLI, including reading all security events (via CLI). Basically, there is no one app. There are a series of apps and they aren't as intuitive as OP may want.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.