Sunday, June 01, 2008

Snort Report 16 Posted

My 16th Snort Report titled When Snort Is Not Enough has been posted. From the article:

[I]t's important to understand how a network intrusion detection system (IDS) like Snort and techniques based upon its use fit into a holistic detection and response operation. Placing Snort within an entire security program is too broad a topic to cover in this Snort Report. Rather, let's consider when a tool like Snort is independently helpful and when you should support Snort with complementary tools and techniques.

3 comments:

Vivek Rajan said...

Good one,

Daemonlogger is cool, but what do you think about more sophisticated approaches like the Time Machine ? ( http://www.net.t-labs.tu-berlin.de/research/tm/ )

Is there some value in retaining full content of long running (possibly encrypted) sessions ?

helenjacobs said...
This comment has been removed by a blog administrator.
Jim Sansing said...

I just read your latest report and strongly agree with your comment, "So what sort of data do I recommend collecting? I have advocated what I've termed "Network Security Monitoring" or "NSM data" for several years: full content, session, statistical and alert data. Full content data is traffic in Libpcap format ..."

This is why I originally started developing the Realeyes IDS (http://realeyes.sourceforge.net). Having worked on a network monitoring team for several years, I know that the more context available for the analyst, the more effective and efficient the results will be. Snort helped us somewhat, but did not alert us to any of our severity 1 compromises. Those were reported by a tool that provided the extra data that you are recommending.

Later . . . Jim