Intrusion Detection Systems (IDS) today are in the opinion of the L0L, fairly poor.  Attackers are in a position where they can assume an IDS is in place and still feel comfortable firing away.  That said, the skiddies with long “0×90″ nopsleds straight off of milw0rm, sloppy recon or generic libraries can be detected.  It’s possible that you’re interested in your children’s p2p, porn or chat traffic.  All valid reasons for wanting an IDS watching the wire…I guess

The physical machine itself should have at least one monitor NIC and one management NIC.  Our box here has two monitor NICs as the network TAP we are using does not support aggregation at the unit.  If you are running a similar setup you will want to bridge these interfaces or use some sort of traffic merging software to realign both sides of the conversation. Read more…

Uncategorized gentoo, IDS, mysql, snort