Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Security Audit

From: Steven Crandell <steven.crandell () gmail com>
Date: Fri, 10 Dec 2004 22:11:00 -0700
Greetings all,

First off, thank you, to everyone who has dedicated their time and
talents to building snort.  Your efforts are, by any measure, hugely
successful and greatly appreciated.

My situation in short:
Tomorrow my company will endure our quarterly security audit.  The
president of the company isn't terribly worried about our IDS most of
the time, however when the audits occur, he's intensely interested in
making sure that our IDS sees every bit of traffic involved in the
audit.

The 3rd party performing the audit has, once in the past, managed to
perform their audit without being detected by our IDS.  I would like
to make sure this doesn't happen again.
So, can anyone recommend any tips to making sure that we detect scans
(even really slow, stealth scans) from behind a firewall that only
permits traffic across ports 80 and 22?

Given that I have the source ip from which the audit will originate, I
can and certainly will, write a simple rule to capture and log all
traffic from the IP in question.  This is, of course, not possible in
the process of day-to-day detection.

I wonder if any of you have any words of wisdom to help me overcome this issue.

It may be worth noting that:
-I'm dealing with a class C network
-I am using the flow-portscan preprocessor already

Thank you in advance.

Very best regards,

-- 
Steven Crandell
steven.crandell () gmail com

"Getting an ethics lesson from the guy who cracked
makelovenotspam.com.........priceless"


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: