It looks like you're new here. If you want to get involved, click one of these buttons!
Do you guys use any intrusion detection on your servers?
What would you recommend? DId hear nice things about snort, is it worth the hassle to set that up? Any better alternative?
No one has experience with that stuff?
For host based IDS take a look at OSSEC. For packet analysis IDS I would recommend Snort or Suricata.
I am testing pfSense with extra ip lists and I have Snort installed as well.
You need to train your Snort to fit your needs but it seems like a good choice.
At my current dev machine I don't have any sites installed or pointed to that server. I only have a few vm's installed and one of them is media/torrent/etc server.
Right after I installed it I saw lots of alerts at Snort and some blocked IP's. I needed to suppress some rules, enable/disable some more.
Right now after pfSense denies most of the bad and known IP's, at Snort most of the alerts I see are like port scanners, experimental scanners etc.
Some people suggest Suricata as well but that's beyond my knowledge expect that of your firewall/ids has multiple cores suricata performs better.
I've had Snort and something like AIDE or tripwire on my to-learn list for awhile now