homepage security



deepsh.it SnortBox

I STOPED MAKING SNORTBOX AS I AM CURRENTLY EMPLOYED BY THE BEST IPS VENDOR AVAILABLE ON MARKET....


deepsh.it SnortBox Network Intrusion Detection System (NIDS) is my stealth startup project:
the cheapest Network Intrusion Detection System (NIDS) box on market based on  Snort™ Intrusion Detection System   + MySQL + ACID on FreeBSD box.

deepsh.it SnortBox the cheapest but extremely powerful NIDS appliance.

It's cheap because it my because it based on  Snort™, a respectable open source IDS software and build on second-hand hardware
It's powerful because Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
Snort is considered a superior NIDS when compared to most commercial systems: check out an old  Network Computing report card on NIDS
based on Snort version 1.7. The current version of Snort is 2.1.
Snort was chosen as best open source product of 2003 according to Information Security Magazine.

If you are a system/network admin and you are currently relying only on firewall, antivirus and backup to protect you network... this box is for you.

Firewall and antivirus alone is just not enough, check out how many SANS TOP 20 vulnerabilities firewall & antivirus can mitigate?!?

Firewall, ANTIVIRUS, IDS comparision in mitigating
SANS TOP
Twenty Most Critical Internet Security Vulnerabilities Version 4.0 October 8, 2003:
Top Vulnerabilities to Windows Systems
Firewall
Anti Virus
Intrusion Detection System
(IDS)*
W1 Internet Information Services (IIS)
NO
NO
YES
W2 Microsoft SQL Server (MSSQL)
NO
NO
YES
W3 Windows Authentication
NO
NO
in some case YES (example)
W4 Internet Explorer (IE)
Use Mozilla !!! and thank me later [;-)]

W5 Windows Remote Access Services
NO
 NO
YES (examples: RPC NETBIOS)
W6 Microsoft Data Access Components (MDAC)
NO
NO
 Y E S
W7 Windows Scripting Host (WSH)
NO
YES
NO
W8 Microsoft Outlook and Outlook Express
NO
YES
NO, but I strongly believe that only idiots use Outlook. No offence but it is the truth. I prefer mutt or eudora.
W9 Windows Peer to Peer File Sharing (P2P)
NO
MAY BE
YES
W10 Simple Network Management Protocol (SNMP)
DEPENDS
NO
YES **
Top Vulnerabilities to UNIX Systems
Firewall
Anti Virus Intrusion Detection System
(IDS)
U1 BIND Domain Name System
NO
NO
YES
U2 Remote Procedure Calls (RPC)
DEPENDS
NO
YES
U3 Apache Web Server
NO
NO
YES
U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords
NO
NO
NO
U5 Clear Text Services
NO
NO
NO
U6 Sendmail
NO
NO
YES
U7 Simple Network Management Protocol (SNMP)
DEPENDS
NO
YES
U8 Secure Shell (SSH)
NO
NO
YES
U9 Misconfiguration of Enterprise Services NIS/NFS
NO
NO
YES
U10 Open Secure Sockets Layer (SSL)
NO
NO
YES
* The URL links are only a subset of related snort signature database.
** Interestingly SANS TOP 20 specifically mention snort to mitigate the Windows Peer to Peer File Sharing (P2P) vulnerability.

Relying only on firewall & antivirus is not enough, because, for example when you configure your firewall to allow inbound Web traffic, you are *not* allowing only inbound Web traffic... you are allowing  TCP packets to destination port 80. This means a specially crafted packets can pass you firewall with no problem, and if your Web server has a security hole... Ciaooo

Yeah, Cisco PIX does some application layer check, but still it’s only simple syntax check than can easily fooled. And yes Cisco PIX has also IDS capability but even on ver 6.3, it has not only laughable "up to 55 different attack signatures" but also PIX only covers obsolete ancient attacks like TCP SYN+FIN flags, ping of death...

It is true that using firewall you can mitigate IIS server, SSH server or other vulnerabilities, BUT you have to block these services completely, meaning: you cannot give these services anymore, in most of cases to block important services is not an option.

The very bad news is most of attacks come from inside network  not from outside, something that a firewall can hardly protect.

The fact is: most system/network admins don’t know what kind of traffic is running on their network. Most admids have a false sense of security after installing firewall, and just went panic when worms cause havoc on their network, it happened to me too…hehehe

An NIDS sniff all packets that running on the network and check if there is a intrusion attempts: looking for malicious packets.

Unfortunatelly very few organizations have installed NIDS on their network. The problem with NIDS is either very expensive commercial gear (that sometimes do not even do their work job) to cheap hair pulling open source solution.

Like most of open source software snort IS VERY POWERFUL, but it’s not easy to setup & configure…
but don’t worry, deepsh.it SnortBox is coming soon, give you the power of Snort and the easy to use of ACID GUI interface.

   > specs
   > screenshots
   > deepsh.it SnortBox NIDS FAQ
   > how to buy


homepage
$ Last update: Sun Feb 22 11:33:45 CET 2004 $ © 2003-2004 Omar Gani