Home page logo

basics logo Security Basics mailing list archives

RE: Setting up an IDS system
From: "Naman Latif" <naman.latif () inamed com>
Date: Mon, 3 Feb 2003 09:17:52 -0800

Thank you all for your help on this. I would definitely need some more
tips in future as I progress, but all this info is very useful in
getting me started.

Regards \\ Naman

-----Original Message-----
From: Trevor Cushen [mailto:Trevor.Cushen () sysnet ie] 
Sent: Monday, February 03, 2003 4:24 AM
To: Naman Latif
Cc: security-basics () securityfocus com
Subject: RE: Setting up an IDS system

To answer you questions my humble opinion is 

1)    Yes should be safe if it is one way traffic as in you can access
to machine with ftp for instance but it has no access back to 
internal network.  I used a web interface to my logs and then 
only needed a browser to the IDS system.  The web server was 
running on the IDS box and filtering my logs for sensibly 
viewing i.e. colour coded etc.  Some recommend takng the logs 
off the IDS machine in case a hacker breaches the machine 
they can remove the logs.  A backup tape system will do this 
and it is how I handle it.

2)    The IDS box is watching the DMZ network only so it shouldn't be
visible or in any way accessably from the internet.  If it is 
then the box should be hardened to the heightest possible 
level (as all your DMZ boxes should).  This goes back to your 
router in many cases where routing should be specific.  HTTP 
traffic to ip address xxx.xxx.xxx.xxx ONLY and not just allow 
port 80 through at the router, (touches on an earlier post 
about filters on routers).  I only run the web server service 
after the IDS stuff, as in answer 1.

3)    I have often used a separate box to monitor internal networks
but this is to be aware of traffic patterns and network 
activity. Tripwire on hosts mostly above the use of snort as 
the amount of internal traffic is high and not much use 
without specific filters but these are restricted in a 
switched network.  My DMZ is a hub and not a switch for this reason.

Other suggestion would include the use of tripwire to some 
extent, MRTG is excellent in this environment and NTOP.  Also 
putting central logging in place and then get the whole lot 
together in a web page for viewing from your desktop makes 
life very easy and manageable.

Sites to view:

Can't find it at the moment but there is a syslog server 
version that logs to a database.  Very easy to setup.  Use 
this to log your routers and servers to a database then add a 
bit of perl code to put a web front end on the database to 
watch attempts to hack your routers etc. Previous posts 
talked about Cisco logging etc.

You should be able quite easily to get the whole lot visible 
through a fairly organised web page that allows you to watch 
everything that goes on in your DMZ from the comfort of your 
desktop.  Use good filters to break down your logs and also 
produce detailed reports for the marketing people on access 
to your web site and bandwidth usage on your routers also 
helps for budget meetings.

Long email but I hope it helps.  If you have any problems 
with the above drop me a line and I will see if I can help.

One final thing I would like to add.  Know how to read your 
logs.  It is no good if you suspect and incident and find 
yourself trawling through a mountian of text files looking 
for what happened.  Logging to a database rather then a text 
file makes this easier where you can search by date or ip 
address and build a pattern of the incident.  I recommended 
two books in a previous post called 'Hacker Challenge'.  
These show exactly how efficent good logs can be.

Good luck with all that :)

Trevor Cushen
Sysnet Ltd

Tel: +353 1 2983000
Fax: +353 1 2960499

-----Original Message-----
From: Naman Latif [mailto:naman.latif () inamed com] 
Sent: 31 January 2003 17:34
To: security-basics () securityfocus com
Subject: Setting up an IDS system

I am in the process of setting up and IDS system using Linux\Snort in
DMZ. A couple of questions regarding this

1. Is it a safe practice to have access to this system from Inside
Network (for retrieving log files etc) from 1-2 Stations ? Ofcourse IDS
won't have access to inside network and be blocked by Firewall.

2. What kind of services should be running on IDS Station ? Should all
Web\FTp etc services be stopped ?

3. How important it is to also have an IDS system monitoring the traffic
on your Inside Network ? I believe it won't be a good idea to have the
SAME DMZ IDS system with another NIC monitoring Inside Network Traffic ?

Any other suggestions OR any Links that I can refer to ?

Regards \\ Naman


This email and any files transmitted with it are confidential and
solely for the use of the individual or entity to whom they are

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]