Using snort to detect if your users are doing interesting things?

• Previous message (by thread): Using snort to detect if your users are doing interesting things?
• Next message (by thread): Using snort to detect if your users are doing interesting things?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

How about project Darknet and sinkholes and monitoring dark ip space, worms 
and botnets usually scans blindly right and left, so there is a good chance 
you will get a glimpse on infected hosts if thats what you want, i catch 
infected hosts by looking at apache access logs and i see alot of scans,

and Randy for that i change the ssh port to a higher one :)

On 6/9/05, Randy Bush <randy at psg.com> wrote:
> 
> 
> >> My suggestion, in the case that you'll use snort, is to do some 
> extensive
> >> testing on a non-production network. Take the time to learn and
> >> understand its functionality and intended purpose.
> > Also figure out what you're going to do with the output. Do you have
> > the resources to investigate apparent misbehavior? Remember that any
> > IDS will have a certain false positive rate. Even for true positives,
> > do you have the customer care resources to notify your users and (if
> > appropriate) hold their hands while they disinfect their machines.
> 
> it's enough of a pita to clean up the syslogs from all the 25k/day
> password attacjs per host, when one does not have password ssh
> even enabled.
> 
> randy
> 
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20050609/d6e12b8e/attachment.html>

• Previous message (by thread): Using snort to detect if your users are doing interesting things?
• Next message (by thread): Using snort to detect if your users are doing interesting things?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]