Snort mailing list archives

RE: functionality question

From: <bmcdowell () coxhealthplans com>
Date: Tue, 27 May 2003 08:11:21 -0500
Well, if you weren't opposed to such a solution, you might want to set
up something like Guardian to watch these guests.  Especially if you
could put all the guests on either their own subnet, their own physical
segment, or both.  Then you set your gaurdian-ish device to simply
squelch any further traffic from your guest until they can get cleaned
up.

This doesn't really fix anything, but it might stop the abuse complaints
by cutting back on the volume of blabbing that goes outbound.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Eric Garnel
Sent: Sunday, May 25, 2003 11:37 AM
To: snort
Subject: [Snort-users] functionality question


The network that I manage is unique in that I often have "guests"
connecting to my access level switches for a short time only (1 to 5
days).  Occasionally, we get a guest machine that is infected and is
"blabbing" out to the internet.  It sometimes becomes an issue when
one of the groups such as abuse.net comes back with a complaint.
Usually, the client has moved on already and the offending address is
back in the pool.

Is snort the right tool and if so, does anyone have any pointers on
how to configure it to watch for outbound malicious traffic only
(scans, known signatures, etc.)? My 1st thought is to set the
HOME_NET to any and the EXTERNAL_NET to my dhcp address ranges.

I am trying to have a way of determining if there is malicious
activity stemming from my network before I have to hear about it from
someone else.

=====

Eric Garnel CCNP, MCSE



eric () garnel com

 

 



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Confidentiality Notice: This e-mail message (including any attachments) may contain confidential and privileged 
information, and is for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure or 
distribution is strictly prohibited. If you are not the intended recipient, please notify the sender by replying to 
this e-mail message, permanently deleting the original message and destroying any hard copies of the original message 
that may have been created.




-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

functionality question Eric Garnel (May 25)
- <Possible follow-ups>
- RE: functionality question bmcdowell (May 27)