IDS mailing list archives

Re: Snort

From: James Riden <j.riden () massey ac nz>
Date: Tue, 05 Oct 2004 14:24:03 +1300

"Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk> writes:

--On 30 September 2004 20:35 -0400 Martin Roesch
<roesch () sourcefire com> wrote:

Just one note from me.  If you're going to only pay attention to
priority 1 events then you need to tune the priorities on your rules  for
your environment.


Quite correct, Marty (unsurprisingly!). Incidentally, by 'report on '
I was meaning 'send email about' or similar. It's good practice, IMHO,
to log *everything* (albeit thresholded, maybe) for later analysis of
events.


Absolutely. That nessus scan today might turn into a full-blown attack
tomorrow and it's nice to be able to correlate all the activity from a
particular IP address/range.

cheers,
 Jamie
-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

Current thread:

Re: Snort vvaduva (Sep 30)
- <Possible follow-ups>
- Re: Snort Graeme Connell (Sep 30)
- RE: Snort Leon De France (Oct 01)
- Re: Snort Martin Roesch (Oct 01)
  - Re: Snort Alex Butcher, ISC/ISYS (Oct 04)
    - Re: Snort James Riden (Oct 05)
- RE: Snort Eric Hines (Oct 01)
- Re: Snort Raffael Marty (Oct 01)
- RE: Snort Phil Hollows (Oct 01)