Focus on IDS
AW: Need help/info May 26 2009 07:51AM
Daniel, Akos (a daniel drillisch-telecom de)

It is the same for me. I need to plan and deploy an IPS/IDS system for our hup-spoke sites.
But I think I may not spend any time with self installed free product.
Till I setup basic things required for IPS:
- Event Correlation
- Alert Setup
- Some/default Reports
- Automatic updates (1. Signature database updates. 2. OS updates)
- Secured/Taskspecific OS (Only required packages should be installed)
- Manageability (example GUI, User management)
- Predefined backup and restore functions
- Automatic Log Archiving (the space is always little)
- High Availability, if required
- ...

In your case as well, I think it is too much expectation from a Security engineer without experience or the impact of using an IPS seems to be low /it is definitely not business critical/.

Huh, that sound a little bit negative, but I want to help! :-)
I am in the same situation, as I mentioned.
There should be in the near of your site a company with IT security services.
What I plan for my company -as I did that once- is that, I will ask for trial products and some introduction with allocated engineer for a day.
As I experienced such companies can give you the box (Cisco IPS, Checkpoint, Juniper, Sourcefire, whatever box) for a couple of days if they feel the smell of business :-).
Whatever they feel, it is like a car, if you don't like you will leave it.

So first of all, think it over what you need in future and what you have to monitor.
- Topology of your company
- Bandwidth of the sites
- Have you sensitive hosts or servers on all sites?
- Have you sensitive applications on all sites?
- How many internet gateways you have? Have you that on all sites?
- etc...

Hope you can find something useful in my answer. If not maybe this one can help to start your journey in the world of snort:


-----Ursprüngliche Nachricht-----
Von: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] Im Auftrag von Joel Esler
Gesendet: Montag, 25. Mai 2009 21:57
An: ubernewbie
Cc: focus-ids (at) securityfocus (dot) com [email concealed]
Betreff: Re: Need help/info

I might suggest the Snort Mailing lists, available via
I might also suggest the forums, available at
Furthermore I might also suggest the IRC channel on in #snort


On Wed, May 20, 2009 at 6:25 PM, ubernewbie <duppyconqueror33 (at) gmail (dot) com [email concealed]> wrote:
> I work for a small company with a hub/spoke network. I've been tasked with
> setting up an IDS(Snort) to begin monitoring security related events and
> basically build out a security program/infrastructure.  Do any of you have
> any good sites/forums that go into the process of intrusion detection. I can
> get the alerts from snort but there are so many that it it's hard to make
> heads or tails. I'm looking for ideas on what to look for and what to pay
> specific attention to.  Also any good websites that alert/explain new
> vulnerabilities would be great. Any help would be appreciated.
> --
> View this message in context:
> Sent from the IDS (Intrusion Detection System) mailing list archive at

joel esler | Sourcefire

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus