Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Using snort to detect if your users are doing interesting things?

  • From: Steven M. Bellovin
  • Date: Thu Jun 09 12:09:18 2005

In message <OF459F2104.B0AF328C-ON8525701B.00558EF8-8525701B.00561C82@mail.kals
ec.com>, trainier@kalsec.com writes:
>
>
>As it was already noted, you need to be very careful about how you set 
>your IDS up, specifically if you choose snort.
>Snort is a very powerful tool, when used correctly.  Unfortunately, when 
>used incorrectly, it can hose your network over
>completely.
>
>My suggestion, in the case that you'll use snort, is to do some extensive 
>testing on a non-production network.
>Take the time to learn and understand its functionality and intended 
>purpose.
>

Also figure out what you're going to do with the output.  Do you have 
the resources to investigate apparent misbehavior?  Remember that any 
IDS will have a certain false positive rate.  Even for true positives, 
do you have the customer care resources to notify your users and (if 
appropriate) hold their hands while they disinfect their machines.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.