TiVo Community Forum

TiVo Community Forum Archive 2
Covering threads with a last post date between
July 1, 2004 and December 31, 2005.
THIS IS A READ ONLY SITE
 


 

SEARCH  |  ARCHIVE 1 MAIN SITE

 
Forum Jump
 
Thread Tools Search this Thread Display Modes
Old 12-30-2005, 06:55 PM   #1 (Print)
LoadStar
LOAD"*",8,1
 
LoadStar's Avatar
 
Join Date: Jul 2001
Location: Milwaukee, WI
Posts: 8,237
Send a message via AIM to LoadStar
Intrusion Detection Systems?

With the recent outbreak of the WMF Zero Day exploit, I'd like to get myself familar with intrusion detection systems. I'd like a good introductory page or text on the subject, something that I can wrap my mind around fairly easily that explains how they work, what options there are out there, and a basic instruction in how to implement them.

Does anyone have any input to share?
LoadStar is offline Report Bad Post Report Post
Old 12-30-2005, 07:00 PM   #2 (Print)
justmike
This space for rent
 
justmike's Avatar
 
Join Date: Dec 2004
Location: Lower Slower Delaware
Posts: 2,778
You can get a lot of free knowledge off of the Cisco.com web site ... enjoy!

__________________
MNoelH-You're not supposed to swallow it!

Brig1977-yes just a LITTLE is fun, not when its all over and in your mouth

Anubis- justmike is my favorite.
justmike is offline Report Bad Post Report Post
Old 12-30-2005, 09:12 PM   #3 (Print)
boywaja
#73
 
boywaja's Avatar
 
Join Date: Sep 2001
Location: Clifton, VA
Posts: 1,639
Send a message via MSN to boywaja
Start with the wikipedia article on intrusion detection system. Its gives you the foundation you need to start with signatures based versus anomoly based. Host Based Versus Network Based. Passive versus reactive (sometimes called intrusion detection versus intrusion prevention).

There are two main ways to set it up. One is to place the IDS in-line, forcing all traffic to pass through it, potentially creating a single point of failure. The other way is to set up the ids in promiscious mode so it listens to all traffic and either interject a hub into your network traffic flow, or set up a switch to mirror all traffic to a single port and put the ids on that.

A main concern with us was making the internal traffic be seen by an ids without buying an ids for every switch (or waiting for the attack traffic to go through a choke point). We had to do some network redesign to make that happen. But you could start small and just put the ids on a choke point.

I haven't read them but I think a book by Richard Bejtlich would be a helpful as well.

After that, it depends if you have money or not. I think you can still get snort free. I'm sure they have some forums that would help with the setup. If you have money, there are tons of ids products. We've tried a few. To me accurate definitions, along with reporting and correlation of events are important. I like my ISS IDS, but its up on the DMZ behind a firewall so it doesn't have to work very hard. My Cisco IDS frustrates me, but I am told it can do what I want (reporting/alerting) if we install more software.

__________________
Roger

TiVoFaq
Roger's Infosec Blog
boywaja is offline Report Bad Post Report Post
 
Forum Jump
Thread Tools

Go Back  TiVo Community Archive2 > Off Topic Areas (Non-TiVo) > Happy Hour - General Chit-Chat

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -5. The time now is 09:34 PM.


Powered by: vBulletin Version 3.0.6
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
(C)opyright - All Rights Reserved. No information may be posted elsewhere without written permission.
TiVoŽ is a registered trademark of TiVo Inc. This site is not affiliated with TiVo Inc.


Spider History Index