Re: what is good

["ScotScot" <scotw () hotmail com>]

If you want good Host Based Intrusion Detection, turn your file access
control auditing on and create scripts to monitor the log files.

Unix - Setup a cron job to run grep queries and mail to admin when certain
strings are found in log files.
Windows - Setup an AT job to run "find" queries, or go to
http://unxutils.sourceforge.net/ and do it just like you would on a *nix
box.

Also, write a couple decoy progies to listen on unused ports and log to a
static file. You can then write a grep script to activate a snort dump for
"x" number of packets after the decoy is tripped off.

You can do all of this with Perl. If you don't know Perl, get one of those
teach yourself Perl in 24 hours books, you'll love it.

"It's all about the Pentium"
                                        ---Weird AL



----- Original Message -----
From: "John Sage" <jsage () finchhaven com>
To: <snort-users () lists sourceforge net>
Sent: Sunday, April 21, 2002 5:11 PM
Subject: Re: [Snort-users] what is good


> On Sun, Apr 21, 2002 at 03:32:28PM -0500, Onie Camara wrote:
> > We've got good nids, snort. What then would be a good opensource/free
hids?
> umm..
>
> snort?
>
> > Thanks in advance.
>
> Not all.
>
>
> - John
> --
> In those days, you could not buy a $2000 200MHz Pentium server.
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users