Re: ISA and SNORT

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Joris Dobbelsteen (none.of_at_your.business)
Date: 03/09/04 

Date: Tue, 9 Mar 2004 21:51:37 +0100

I have SNORT running here on a Win2003 with ISA 2000. It requires no
reboots.

I used WinPCap 3.0 (not the 3.1 beta version), which works fine.
The system is a Via C3 behind a 1 Mb Internet Line, with a Via Rhine II
(internal 100 Mbps) and an old D-Link DE-530+ (Internet 10 Mbps).

I haven't figured out whether an inbound packet is first passed through the
ISA filters before Snort analyzes it.

There are real great documents at www.winsnort.com !
Check out "Installation Guides"
--> Windows IDS Install Guides - MSSQL
--> Installing a complete IDS using the IIS 5/6 WebServer.
Choose the configuration which suits you.

I've followed this document up to where the web server configuration was.
Snort is analyzing, logging into the MSSQL server.
I've not been working on tuning the rule set and things like that.
Also I haven't set up the web server with all the stuff. IIS6 seems to need
some configuration when installing PHP on it, there are plenty of docs about
this. See www.php.net for more information, I believe it is somewhere here.
Otherwise google will do the trick.

There is also a full package EagleX
(www.engagesecurity.com/products/eaglex/) which can ease installation. It
comes with the apache server, which is installed. (Personally I prefer to
know what I'm installing, especially on my Internet gateway).

- Joris

"Edgar Engibarian" <edgar@bellcpa.com> wrote in message
news:eHewr0WBEHA.2360@TK2MSFTNGP10.phx.gbl...
> Cool Thanks
>
> I looked at snort windows version and I didn't see and detailed
> documentation on how to use snort in windows.... I am all Win guy no lunix
> so having hard time with it. I would appreciate it if you post details on
> how you implement it.
>
> Thanks
>
> Edgar
>
> "Joris Dobbelsteen" <none.of@your.business> wrote in message
> news:404cfa5a$0$2443$4a441750@news.euronet.nl...
> > I'm currently making an attempt to set this up. I'll let you know if it
> > worked...
> >
> > - Joris
> >
> >
> > "Edgar Engibarian" <edgar@bellcpa.com> wrote in message
> > news:evmG17TBEHA.2720@TK2MSFTNGP11.phx.gbl...
> > > If I am not mistaken snort has a windows version and I wanted to know
if
> > > anyone tried to combine snort and ISA? Or is there another free IDS
> > product
> > > for ISA ?
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Any Good Intrusion detection Software?
    ... obvious that 'Snort' is THE IDS to use. ... visiting the suggested help sites on installing this ...
    (microsoft.public.security)
  • RE: Snort or Ethereal for a relative newbie?
    ... >thought Snort was capable of dropping packets based on the snort ... Snort captures packets using libpcap and runs them through a ruleset to ... will not have problems installing snort. ...
    (Security-Basics)
  • Re: Snort on SuSE v9.0
    ... >> Having installed my first Linux box I think I'll be following the Linux ... >> direction to find some documentation about installing and configuring Snort ... >> anything about it and SuSE ...
    (alt.os.linux.suse)
  • RE: Snort or Ethereal for a relative newbie?
    ... Snort and Ethereal capture packets and do not do not block anything. ... After installing Snort, it didn't work due to a data type 113 error. ...
    (Security-Basics)
  • Re: Snort as IDS
    ... The snort rules are prone to false alarms. ... you need to configure it specific to each client? ... http_inspect with any profile? ... Yes, if you are monitoring your web server, you should apply those rules. ...
    (Focus-IDS)