RE: Intrusion Detection recommendations

[Warsaw LATAM Operations Group]

Hello Andy,
I believe you are very good set up the way you are in technology. I see you are 
surrounded by BSD systems everywhere, on servers, mobile and desktop. And I 
suggest you keep running FreeBSD for this new security requirement you have.
We run FreeBSD as IDS/IPS system on several sites, and pfSense on a couple 
others. From my experience, we started using Snort, the common path people 
usually follow, but under certain circumstances, the drop ratio (unprocessed 
packets) started to raise a lot, and we looked for options. Tried Bro and 
Suricata and with some help from one of our servers supplier we decided to give 
Suricata a tuning and special try, and it became our primary option for IDS.
Therefore I strongly suggest you start researching around Bro vs Snort vs 
Suricata and try to reach your conclusions from your own findings. But if you 
ask me for suggestion, as a long time user for Snort, I deprecated it in favor 
of Suricata. So my primary suggestion is Suricata + FreeBSD as IDP. Suricata is 
a very serious Project with very good software provided.
We run ServerU networking servers, and they are the vendor who supported us. 
Usually they offer their own software solution called ProApps, it's a system 
made on top of FreeBSD which you have full root access etc, a plain old good 
FreeBSD system, but with nice auto update features and a helpful web GUI which 
allows me to delegate IDS operations to different level of staff operators on 
my team. 
They allow using for their ProApps solution on ServerU hardware, so if intend 
to add new hardware to your project, it might worth a try. I find the tool very 
powerful and very complete.
On pfSense side you have a third party package made by community members, it 
also has a nice GUI, good deployment practices, but is Snort based. 
At one special location we needed even more performance for packets capturing, 
and we added Suricata running in Netmap mode, and it raised performance three 
times on the same box.
So if you are looking for something easy, ready and supported, go for 
ServerU+ProApps. If you are looking for plain good open source arranged the way 
want to, you can have just the same with FreeBSD + Suricata & Friends.
Should you want to do everything by yourself, FreeBSD + Suricata + Barnyard2 + 
Sguil + Snortsam is my suggested path way to go, with Richard Beijtlichs' books 
on your hand for good analysis learning and IDS best common operation 
practices. And maybe I can be of any help, private mail me if you want to.
Regards,
> From: a...@newslink.com
> Subject: Intrusion Detection recommendations
> Date: Fri, 13 Feb 2015 11:40:06 -0600
> To: nanog@nanog.org
> 
> NANOG'ers,
> 
> I've been tasked by our company president to learn about, investigate and 
> recommend an intrusion detection system for our company.
> 
> We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, 
> iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We 
> are protected by a FreeBSD firewall setup, and we stay current on 
> updates/patches from Apple and FreeBSD, but that's as far as my expertise 
> goes.
> 
> Initially, what do people recommend for:
> 
> 1. Crash course in intrusion detection as a whole
> 2. Suggestions or recommendations for intrusion detection hardware or software
> 3. Other things I'm likely overlooking
> 
> Thank you all in advance for your wisdom.
> 
> 
> ----
> Andy Ringsmuth
> a...@newslink.com
> News Link – Manager Technology & Facilities
> 2201 Winthrop Rd., Lincoln, NE 68502-4158
> (402) 475-6397    (402) 304-0083 cellular
>