Contributed by jose on from the sniffing dept.
The first one is an introduction to snort on BSD from SysAmin Magazine . While some of the options discussed aren't OpenBSD specific, overall it covers how to et up a homebrew IDS system with many pieces.
The second piece covers setting up Snort on BSD with ACID and MySQL . This is pretty much a recipe, good for people assembling a lot of pieces together.
This kind of documentation benefits everyone, as it helps share knowledge. If you are looking for a way to help the community, documentation is always appreciated.
(Comments are closed)
By James Wilkus () tflat@astrocreep.net on http://astrocreep.net
rc.snort . You can also install oinkmaster and run this script through cron to update your rulesets using the 'update' option, if you are brave. I wanted to be able to keep independant rule sets on each interface.
By Anonymous Coward () on
By extremis () on
Comments
By Anonymous Coward () on
By sleepy () sleepy at maximumunix.org on mailto:sleepy at maximumunix.org
I agree that snort is everyone's favourite IDS.I am not even sure if there are alternatives.One nice thing about snort is the variety of logs format it can spit.
I was going to write a snort/OpenBSD doc myself, will have to check out this article and see if there are more to be said.right now I am examinning the performance of the various logs format supported on my openBSD 3.2 machine. I have written a viewer for Snort XML logs called ACID-XML and is currently available from http://www.maximumunix.org . the available version is win32 but the unix version is coming soon.
ACID is definately a powerful too, but personally I feel that HTML bites so I am starting a series of tools to parse and analyze snort data from a stand alone app.once the XML viewer is ported, I will start playing with snort binary logs. binary output is definately the fastest. checkout barnyard from http://www.snort.org/dl/ .
I appreciate all comments and wishes from those interested in IDS , that will be valuable input.
Comments
By Darren () darren@dazdaz.NOSPAM.org on mailto:darren@dazdaz.NOSPAM.org
output CSV: /var/log/alert.csv default
I was told that the above in the docs was wrong and the correct syntax was,
output alert_CSV: /var/log/alert.csv default
Neither work on OpenBSD 3.2-stable for me.
$ ls -l /var/log/alert.csv
-rw-r--r-- 1 snort snort 0 Dec 9 15:14 /var/log/alert.csv
So far no one has provided a working solution.
I look forward to your doc.
Regards,