set up IDS and Firewall

loba09 · 02-13-2010, 05:10 PM

hi

i,m new in security analyst
i want set up IDS(Intrusion detection system) and Firewall in my home
just for learning..
The Goal is learn IDS log and Firewall log..

any suggestion?
any tutorial i can follow?

jschiwal · 02-13-2010, 07:39 PM

Probably a skillful use of Google until you can zoom in on what you are looking for. You may find people posting in mail groups of parts of their own logs with questions on what it means. The Netfilter website may have information on analyzing the firewall log files. Defining rules for an IDS or your firewall would require knowledge on network protocols, which will help learn what the logs mean as well.

nowonmai · 02-16-2010, 03:43 AM

Start with snort and the ruleset from http://www.emergingthreats.net/
Then read the rules! This will give you an idea what an attack looks like.
Learn how attacks are performed.
TBH, very few actual penetrations happen by random attacks... most are targeted spearphishing attacks or client side vulnerabilities.
Set up a 'honeypot' in a DMZ on your own network. Use purposely vulnerable services in this and examine the logs to see what happens when a bot attempts to penetrate.
This is not something you'll pick up overnight. You can't just learn an aspect of infosec, you need a good coherent overview.

loba09 · 02-16-2010, 08:52 AM

thanks guys...

unixfool · 03-16-2010, 08:45 PM

I'd skip ET (Emerging Threats) rules and rely on the rules from Snort.org, for now, at least. ET rules have NO documentation and breaking down the rules as a new person to this field can be daunting. At least Snort has better documentation and will point you to some good resources.

Also, some ET rules are robust but a good bit of them are garbage. People savvy with Snort know what's garbage and will filter those rules out. People new to the platform may be overwhelmed with rules that alert on legit traffic but have no good documentation.

Google.com will help but the best way to learn is to just jump in. I've also attended free webinars from Sourcefire and other companies...those seminars usually have subject-matter that is basic and allows for understanding (they break geek speak and terminology into layman's terms). Also, some paid software solutions offer free versions of their products (mod_security and Aanval are two)...you can use those in the home environment to learn.