[81431] in North American Network Operators' Group
Re: Using snort to detect if your users are doing interesting things?
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Thu Jun 9 12:08:37 2005
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: nanog@merit.edu
In-Reply-To: Your message of "Thu, 09 Jun 2005 11:36:22 EDT."
<OF459F2104.B0AF328C-ON8525701B.00558EF8-8525701B.00561C82@mail.kalsec.com>
Date: Thu, 09 Jun 2005 12:08:09 -0400
Errors-To: owner-nanog@merit.edu
In message <OF459F2104.B0AF328C-ON8525701B.00558EF8-8525701B.00561C82@mail.kals
ec.com>, trainier@kalsec.com writes:
>
>
>As it was already noted, you need to be very careful about how you set
>your IDS up, specifically if you choose snort.
>Snort is a very powerful tool, when used correctly. Unfortunately, when
>used incorrectly, it can hose your network over
>completely.
>
>My suggestion, in the case that you'll use snort, is to do some extensive
>testing on a non-production network.
>Take the time to learn and understand its functionality and intended
>purpose.
>
Also figure out what you're going to do with the output. Do you have
the resources to investigate apparent misbehavior? Remember that any
IDS will have a certain false positive rate. Even for true positives,
do you have the customer care resources to notify your users and (if
appropriate) hold their hands while they disinfect their machines.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
