Snort mailing list archives
question
From: Eric Garnel <eric () garnel com>
Date: Mon, 26 May 2003 18:30:15 -0700 (PDT)
The network that I manage is unique in that I often have "guests" connecting to my access level switches for a short time only (1 to 5 days). Occasionally, we get a guest machine that is infected and is "blabbing" out to the internet. It sometimes becomes an issue when one of the groups such as abuse.net comes back with a complaint. Usually, the client has moved on already and the offending address is back in the pool. Is snort the right tool and if so, does anyone have any pointers on how to configure it to watch for outbound malicious traffic only (scans, known signatures, etc.)? My 1st thought is to set the HOME_NET to any and the EXTERNAL_NET to my dhcp address ranges. I am trying to have a way of determining if there is malicious activity stemming from my network before I have to hear about it from someone else. ===== Eric Garnel CCNP, MCSE eric () garnel com ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- question Joe Hdez (Apr 08)
- <Possible follow-ups>
- Question Joe Hdez (Apr 08)
- Question Joe Hdez (Apr 11)
- Re: Question Brian (Apr 14)
- Question Joe Hdez (May 13)
- question Eric Garnel (May 26)
- Re: question james (May 26)
- Question Ryan Vennell (Jun 03)
- Re: Question Erek Adams (Jun 03)
- Re: Question Edin Dizdarevic (Jun 03)
- Re: Question Joerg Weber (Jun 03)
- RE: Question Schmehl, Paul L (Jun 03)
- RE: Question adam.w.hogan (Jun 03)