Clicky

hi


what is the best Free Intrusion Detection (IDS) ?

asked 07/25/2011 11:25

ymg800's gravatar image

ymg800 ♦♦


17 Answers:
SNORT
link
srniks's gravatar image

srniks

can i  install it on windows? i saw that i can, but after installation i dont see any GUI?

pls help me to get started
link
ymg800's gravatar image

ymg800

Try idscenter which can be used as the GUI for SNORT which can be downloaded from  http://www.engagesecurity.com/products/idscenter/

Alternately, you can use SNORT through command prompt.

In command prompt go to c:>snort\bin> and enter snort -h . This will give you index of all the commands for all functions.
For more information, please refer this link. www.homepages.dsu.edu/malladis/teach/754/Slides/Snort.ppt . This will help you to get started.

link
srniks's gravatar image

srniks

is there more friendly user application free IDS  systems?
link
ymg800's gravatar image

ymg800

Hello,

You can use insta Snorby. A readymade package of snort with Ruby on Rails application for network security monitoring.

Check it out at http://snorby.org/

Thanks
link
inaxis's gravatar image

inaxis

well i download snorby and load the iso as cd via hyper-v and setup started but it's saying that it cant find my network adapter and i see some pure text menu and cant move from there

there sites show siny nice interface gui how do i make it to work? i didnt saw any good manual there for the appliance

thx
link
ymg800's gravatar image

ymg800

Snort will work on windows, as does Suricata. Neither have GUI's, but there are 3rd party applications like Snorby/Sguil/BASE/AAnval and more that give you a way to view your alerts. Editing and configuring either is done with config files and by using the command line. There are "live-cd's" that you can use, like the Security-Onion http://code.google.com/p/security-onion/ and as mentioned above https://github.com/Snorby/insta-snorby

Linux doesn't sound like your thing however, as it can be, and especially with these bootable CD's, command line driven. You may want to try some of the windows installs for Snort:
http://www.snort.org/assets/151/Installing_Snort_2.8.6.1_on_Windows_7.pdf
Suricata doesn't have much of a guide for windows yet, as far as I know, I am the first person to make a stable exe for it: http://xinn.org/Suricata/Suricata.zip
But it is compatible with snort rules (98% compatible) and is as good if not better than Snort currently.
It too must be started from the cmd line, but you can use the same Web interfaces as Snort does.
-rich
link
richrumble's gravatar image

richrumble

well it's look like snorby is having nice GUI interface, but i didnt manage it to work.

is there any guide for snorby?
link
ymg800's gravatar image

ymg800

There is ebook for Snorby but most of it is in progess though

@ https://github.com/Snorby/snorby/wiki/Snorby-E-Book

Beside Snorby, you may also want to check out other alternative front end GUI version. ACID & BASE are both web-based IDS alert management systems. sguil uses a dedicated client instead of running through a web browser, you get a richer, more responsive user interface as well. But may not as nice though as snorby

@ http://security.stackexchange.com/questions/2041/snorts-great-but-base-isnt-what-are-some-alternative-front-ends

BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.

Sguil's main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).

There is a chapter of SGUIL in

@ http://ptgmedia.pearsoncmg.com/images/0321246772/samplechapter/bejtlich_chs.pdf

link
breadtan's gravatar image

breadtan

well well i installed the snorby on wmware workstation it worked well and manage to find my network device, unlike when i installed it with hyper-v it didnt.

but right now i access snorby via the browser and the appliance saying that the defualt usename and password if snorby@snorby.org and password is snorby, but when i enter those in the web it's saying that those crediatiols are incorrent.

how do i enter to the web inteface?

 
 
 

 
 
link
ymg800's gravatar image

ymg800

by the way, what about AlienVault , anyone tried it?

looks like it's is easy to setup and have nice and easy inteface
link
ymg800's gravatar image

ymg800

see if this link help as they shared different login based the vm image put up

http://bailey.st/blog/snorby-spsa/

did not play with alienvault or otherwise known as ossim. it is actually a SIEM type engine that supposed to take in other type of supported log e.g syslog, event log, etc and correlate to trigger upon rule alerts. snort is just another source provider as long as ossim support the format like syslog.
link
breadtan's gravatar image

breadtan

already tried that password but didnt work

any other advice?
link
ymg800's gravatar image

ymg800


Breadtan, i didnt quit get it, u saying that  snorby@snorby.org, and snorby is the password?
 if yes i alreadty tried that.

i donwnload the old version and log-in was succussful but it's older version, the credicials for the new version are invaild
link
ymg800's gravatar image

ymg800

different version has different login, at least that is from the previous shared articles (i did not try though).
I assume that you had tried both those iso.

http://bailey.st/blog/snorby-spsa/
http://www.turnkeylinux.org/forum/general/20101206/insta-snorby-official-snort-snorby-turn-key-solution

Probably best to check with the snorby support to see if they can help - they even have demo image which is using another set of login

http://snorby.org/#support
link
breadtan's gravatar image

breadtan

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

Asked: 07/25/2011 11:25

Seen: 451 times

Last updated: 09/13/2011 05:53