[81435] in North American Network Operators' Group
Re: Using snort to detect if your users are doing interesting things?
daemon@ATHENA.MIT.EDU (Christian Kuhtz)
Thu Jun 9 14:48:48 2005
Date: Thu, 09 Jun 2005 14:45:53 -0400
From: "Christian Kuhtz" <christian.kuhtz@bellsouth.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>,
"nanog" <nanog@merit.edu>
In-Reply-To: <20050609160809.B4A443BFFFB@berkshire.machshav.com>
Errors-To: owner-nanog@merit.edu
On 6/9/05 12:08 PM, "Steven M. Bellovin" <smb@cs.columbia.edu> wrote:
> Also figure out what you're going to do with the output. Do you have
> the resources to investigate apparent misbehavior? Remember that any
> IDS will have a certain false positive rate. Even for true positives,
> do you have the customer care resources to notify your users and (if
> appropriate) hold their hands while they disinfect their machines.
And along the same lines, as much as it irks me to state this, one needs =
to
ask whether this really is a desirable state and what sort of =
implications
does one create when that is done. One might find the discussions with
appropriate legal counsel to be quite enlightening, for example, and =
they
are probably a good starting point prior to even attempting to
operationalize sorting out wheat from chaff, let alone responding in a
useful manner.
Best regards,
Christian
*****
The information transmitted is intended only for the person or entity to =
which it is addressed and may contain confidential, proprietary, and/or =
privileged material. Any review, retransmission, dissemination or other =
use of, or taking of any action in reliance upon this information by =
persons or entities other than the intended recipient is prohibited. If =
you received this in error, please contact the sender and delete the =
material from all computers. 117
