North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Using snort to detect if your users are doing interesting things?
- From: Steven M. Bellovin
- Date: Thu Jun 09 12:09:18 2005
In message <OF459F2104.B0AF328C-ON8525701B.00558EF8-8525701B.00561C82@mail.kals
ec.com>, firstname.lastname@example.org writes:
>As it was already noted, you need to be very careful about how you set
>your IDS up, specifically if you choose snort.
>Snort is a very powerful tool, when used correctly. Unfortunately, when
>used incorrectly, it can hose your network over
>My suggestion, in the case that you'll use snort, is to do some extensive
>testing on a non-production network.
>Take the time to learn and understand its functionality and intended
Also figure out what you're going to do with the output. Do you have
the resources to investigate apparent misbehavior? Remember that any
IDS will have a certain false positive rate. Even for true positives,
do you have the customer care resources to notify your users and (if
appropriate) hold their hands while they disinfect their machines.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb