Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: sircam removal

From: Graeme Fowler <graeme.fowler () hosteurope com>
Date: Thu, 30 Aug 2001 14:14:05 +0100
I have to stick my head above the parapet here... I'm prepared to be shot
at!

It's interesting to see so many Snort users who want to use Snort to stop
<whatever> getting into their networks. Remember that it's an Intrusion
Detection System, and although Marty et al have spooged some cool features
in - flexresp being one of them - it should only be a single, small part of
your armoury in keeping your network/systems safe.

As far as I'm concerned there is (in the case of viruses) absolutely no
substitute for (sadly) having a well-supported automatically-updating and
therefore probably commercial anti-virus solution installed on all your
machines. At least, those machines which might actually be infected, anyways
:)

In theory, you should maybe have several layers of protection. Let's just
deal with viruses:

Internet
    |
Gateway  <---  some sort of IDS to *warn* you of inbound or outbound virii.
    |
Mail Server(s) <--- some sort of regularly updated email AV scanner
    |
Mail clients <--- some sort of regularly updated email AV scanner
    |
Your users  <--- clue. A very useful addition :)

To be honest, no matter what amount of system-side protection I've seen
installed the biggest problem is almost always the end user. A friend of
mine - who uses a very well-known suite of AV software to keep his network
safe - sent an email to all his staff when the lovebug came a-calling,
letting them know that they shouldn't open anything which fit the profile
even if it did come from someone they knew. What happened? The following day
someone brought their laptop in from home, plugged it in, accessed Hotmail
from it and boom: their copy of Outlook Express spewed forth the lovebug.
Thankfully he trapped it as their AV software was up-to-date on the server,
but you get the idea...  The response after the bollocking? "But it was from
a mate!". The jury's still out on this one ;-)

Remember that using flexresp to stop a mail transaction halfway through is
going to upset people eventually. I figure it's better to regularly process
the logs, pick out the warnings and manually process it in some way.

I'm all for software with lots of features. I'm even more for lots of
software with lots of features, all working in concert :)

Graeme

-- 
Graeme Fowler
System Administrator
Host Europe Group PLC

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: