nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Using snort to detect if your users are doing interesting things?

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Thu, 09 Jun 2005 12:08:09 -0400

In message <OF459F2104.B0AF328C-ON8525701B.00558EF8-8525701B.00561C82 () mail kals
ec.com>, trainier () kalsec com writes:



As it was already noted, you need to be very careful about how you set 
your IDS up, specifically if you choose snort.
Snort is a very powerful tool, when used correctly.  Unfortunately, when 
used incorrectly, it can hose your network over
completely.

My suggestion, in the case that you'll use snort, is to do some extensive 
testing on a non-production network.
Take the time to learn and understand its functionality and intended 
purpose.



Also figure out what you're going to do with the output.  Do you have 
the resources to investigate apparent misbehavior?  Remember that any 
IDS will have a certain false positive rate.  Even for true positives, 
do you have the customer care resources to notify your users and (if 
appropriate) hold their hands while they disinfect their machines.

                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Previous By Date Next
Previous By Thread Next

Current thread: