New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
No one has experience with that stuff?
For host based IDS take a look at OSSEC. For packet analysis IDS I would recommend Snort or Suricata.
I am testing pfSense with extra ip lists and I have Snort installed as well.
You need to train your Snort to fit your needs but it seems like a good choice.
At my current dev machine I don't have any sites installed or pointed to that server. I only have a few vm's installed and one of them is media/torrent/etc server.
Right after I installed it I saw lots of alerts at Snort and some blocked IP's. I needed to suppress some rules, enable/disable some more.
Right now after pfSense denies most of the bad and known IP's, at Snort most of the alerts I see are like port scanners, experimental scanners etc.
Some people suggest Suricata as well but that's beyond my knowledge expect that of your firewall/ids has multiple cores suricata performs better.
Thanks!
I've had Snort and something like AIDE or tripwire on my to-learn list for awhile now