I have this really great co-worker named John. We may differ on some things but when it comes to food we are peas in a pod. Through some fateful twist we both have a deep appreciation for Cajun cooking, particularly gumbo and jambalaya. If you've read traditional Cajun recipes, there are five little words that you can pretty well assume are going to be in any recipe for anything fixed in a pot, skillet or dutch oven.
"First, you make a roux"
I really wanted to blog about network security monitoring and a couple of open-source intrusion detection systems. Specifically I wanted to cover
bro, a very cool project from ICSI that I've only recently started testingOSSEC is pretty easy, it's one server and then some client installs, but I started thinking about the requirements for the others and realised I'm going to need a router with a span port and a network link for the bro/suricata/snort virtual machines to be able to see the span traffic (this effectively sets the router up as a tap). So, part one of my bro series isn't really about bro at all, it's about setting up the environment so I can *install* bro. To paraphrase all those really awesome recipes from southern Louisiana: first you build a router.
suricata, a threaded "alternative" to Snort that I've only tested for about a month
OSSEC, a HIDS that most of my friends are wondering why I haven't already covered
Snort, the gold-standard of open source intrusion detection
FreeBSD + pf
I already have the psql_test internal network with a bunch of hosts on it and I've established in previous posts that it works a *lot* like a real network. I also have enough virtual machines in production networks running FreeBSD, acting as routers and packet filters for other virtual machines on the virtual networks, to think that this should be pretty easily accomplished in VirtualBox.