Snort mailing list archives
Security Audit
From: Steven Crandell <steven.crandell () gmail com>
Date: Fri, 10 Dec 2004 22:11:00 -0700
Greetings all, First off, thank you, to everyone who has dedicated their time and talents to building snort. Your efforts are, by any measure, hugely successful and greatly appreciated. My situation in short: Tomorrow my company will endure our quarterly security audit. The president of the company isn't terribly worried about our IDS most of the time, however when the audits occur, he's intensely interested in making sure that our IDS sees every bit of traffic involved in the audit. The 3rd party performing the audit has, once in the past, managed to perform their audit without being detected by our IDS. I would like to make sure this doesn't happen again. So, can anyone recommend any tips to making sure that we detect scans (even really slow, stealth scans) from behind a firewall that only permits traffic across ports 80 and 22? Given that I have the source ip from which the audit will originate, I can and certainly will, write a simple rule to capture and log all traffic from the IP in question. This is, of course, not possible in the process of day-to-day detection. I wonder if any of you have any words of wisdom to help me overcome this issue. It may be worth noting that: -I'm dealing with a class C network -I am using the flow-portscan preprocessor already Thank you in advance. Very best regards, -- Steven Crandell steven.crandell () gmail com "Getting an ethics lesson from the guy who cracked makelovenotspam.com.........priceless" ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Security Audit Steven Crandell (Dec 10)
- Re: Security Audit Michael Boman (Dec 10)