Using snort to detect if your users are doing interesting things?

• Previous message (by thread): Using snort to detect if your users are doing interesting things?
• Next message (by thread): Using snort to detect if your users are doing interesting things?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <OF459F2104.B0AF328C-ON8525701B.00558EF8-8525701B.00561C82 at mail.kals
ec.com>, trainier at kalsec.com writes:
>
>
>As it was already noted, you need to be very careful about how you set 
>your IDS up, specifically if you choose snort.
>Snort is a very powerful tool, when used correctly.  Unfortunately, when 
>used incorrectly, it can hose your network over
>completely.
>
>My suggestion, in the case that you'll use snort, is to do some extensive 
>testing on a non-production network.
>Take the time to learn and understand its functionality and intended 
>purpose.
>

Also figure out what you're going to do with the output.  Do you have 
the resources to investigate apparent misbehavior?  Remember that any 
IDS will have a certain false positive rate.  Even for true positives, 
do you have the customer care resources to notify your users and (if 
appropriate) hold their hands while they disinfect their machines.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

• Previous message (by thread): Using snort to detect if your users are doing interesting things?
• Next message (by thread): Using snort to detect if your users are doing interesting things?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]