Snort mailing list archives
RE: sircam removal
From: Graeme Fowler <graeme.fowler () hosteurope com>
Date: Thu, 30 Aug 2001 14:14:05 +0100
I have to stick my head above the parapet here... I'm prepared to be shot at! It's interesting to see so many Snort users who want to use Snort to stop <whatever> getting into their networks. Remember that it's an Intrusion Detection System, and although Marty et al have spooged some cool features in - flexresp being one of them - it should only be a single, small part of your armoury in keeping your network/systems safe. As far as I'm concerned there is (in the case of viruses) absolutely no substitute for (sadly) having a well-supported automatically-updating and therefore probably commercial anti-virus solution installed on all your machines. At least, those machines which might actually be infected, anyways :) In theory, you should maybe have several layers of protection. Let's just deal with viruses: Internet | Gateway <--- some sort of IDS to *warn* you of inbound or outbound virii. | Mail Server(s) <--- some sort of regularly updated email AV scanner | Mail clients <--- some sort of regularly updated email AV scanner | Your users <--- clue. A very useful addition :) To be honest, no matter what amount of system-side protection I've seen installed the biggest problem is almost always the end user. A friend of mine - who uses a very well-known suite of AV software to keep his network safe - sent an email to all his staff when the lovebug came a-calling, letting them know that they shouldn't open anything which fit the profile even if it did come from someone they knew. What happened? The following day someone brought their laptop in from home, plugged it in, accessed Hotmail from it and boom: their copy of Outlook Express spewed forth the lovebug. Thankfully he trapped it as their AV software was up-to-date on the server, but you get the idea... The response after the bollocking? "But it was from a mate!". The jury's still out on this one ;-) Remember that using flexresp to stop a mail transaction halfway through is going to upset people eventually. I figure it's better to regularly process the logs, pick out the warnings and manually process it in some way. I'm all for software with lots of features. I'm even more for lots of software with lots of features, all working in concert :) Graeme -- Graeme Fowler System Administrator Host Europe Group PLC _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sircam removal Chris Mason (Aug 30)
- Re: sircam removal Michael Boman (Aug 30)
- Re: sircam removal JP (Aug 30)
- Re: sircam removal Ralf Hildebrandt (Aug 30)
- Re: sircam removal Florent (Aug 30)
- Re: sircam removal Ralf Hildebrandt (Aug 30)
- Re: sircam removal Jason Haar (Aug 31)
- Re: sircam removal Florent (Aug 30)
- Re: sircam removal Michael Boman (Aug 30)
- <Possible follow-ups>
- RE: sircam removal Graeme Fowler (Aug 30)
- RE: sircam removal Erek Adams (Aug 30)