Using snort to detect if your users are doing interesting things?
Steven M. Bellovin
smb at cs.columbia.edu
Thu Jun 9 16:08:09 UTC 2005
In message <OF459F2104.B0AF328C-ON8525701B.00558EF8-8525701B.00561C82 at mail.kals
ec.com>, trainier at kalsec.com writes:
>
>
>As it was already noted, you need to be very careful about how you set
>your IDS up, specifically if you choose snort.
>Snort is a very powerful tool, when used correctly. Unfortunately, when
>used incorrectly, it can hose your network over
>completely.
>
>My suggestion, in the case that you'll use snort, is to do some extensive
>testing on a non-production network.
>Take the time to learn and understand its functionality and intended
>purpose.
>
Also figure out what you're going to do with the output. Do you have
the resources to investigate apparent misbehavior? Remember that any
IDS will have a certain false positive rate. Even for true positives,
do you have the customer care resources to notify your users and (if
appropriate) hold their hands while they disinfect their machines.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
More information about the NANOG
mailing list