Using snort to detect if your users are doing interesting things?

• Previous message (by thread): Using snort to detect if your users are doing interesting things?
• Next message (by thread): Using snort to detect if your users are doing interesting things?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I'm wondering what is the best way to detect people doing these things 
> on my end. I realize there are methods to protect myself from people 
> attacking from the outside but I'm not real sure how to pinpoint who is 
> really being loud on the inside.

One of the best things we did was setup a snort box with barnyard logging 
to a mysql server. The snort box has an IP out of each ARIN allocation we 
have.

On a schedule, we purge the logs in the mysql server that did not come 
from our IP space and if there are X number of things from one of our IPs, 
open an abuse ticket which then looks up what type of connection that IP 
is and finds the specific user. Its then a manual process to hit a 'turn 
off and note their account' button or notify a downstream ISP.

This setup appears to catch a ton of the worms that scan a /8. I'm sure 
there is probably a better way of doing this, but without throwing a box 
at each network access point or better utilizing cflow, I couldn't come up 
with it.


sam

• Previous message (by thread): Using snort to detect if your users are doing interesting things?
• Next message (by thread): Using snort to detect if your users are doing interesting things?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]