nanog mailing list archives
Re: Using snort to detect if your users are doing interesting things?
From: Kim Onnel <karim.adel () gmail com>
Date: Thu, 9 Jun 2005 23:29:37 +0300
How about project Darknet and sinkholes and monitoring dark ip space, worms and botnets usually scans blindly right and left, so there is a good chance you will get a glimpse on infected hosts if thats what you want, i catch infected hosts by looking at apache access logs and i see alot of scans, and Randy for that i change the ssh port to a higher one :) On 6/9/05, Randy Bush <randy () psg com> wrote:
My suggestion, in the case that you'll use snort, is to do someextensivetesting on a non-production network. Take the time to learn and understand its functionality and intended purpose.Also figure out what you're going to do with the output. Do you have the resources to investigate apparent misbehavior? Remember that any IDS will have a certain false positive rate. Even for true positives, do you have the customer care resources to notify your users and (if appropriate) hold their hands while they disinfect their machines.it's enough of a pita to clean up the syslogs from all the 25k/day password attacjs per host, when one does not have password ssh even enabled. randy
Current thread:
- Using snort to detect if your users are doing interesting things? Drew Weaver (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? Thor Lancelot Simon (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? trainier (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? Steven M. Bellovin (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? Christian Kuhtz (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? Randy Bush (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? Kim Onnel (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? Jeroen Massar (Jun 10)
- Re: Using snort to detect if your users are doing interesting things? trainier (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? Thor Lancelot Simon (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? Christian Kuhtz (Jun 09)