[81436] in North American Network Operators' Group
Re: Using snort to detect if your users are doing interesting things?
daemon@ATHENA.MIT.EDU (Randy Bush)
Thu Jun 9 14:51:03 2005
From: Randy Bush <randy@psg.com>
Date: Thu, 9 Jun 2005 11:50:12 -0700
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
>> My suggestion, in the case that you'll use snort, is to do some extensive
>> testing on a non-production network. Take the time to learn and
>> understand its functionality and intended purpose.
> Also figure out what you're going to do with the output. Do you have
> the resources to investigate apparent misbehavior? Remember that any
> IDS will have a certain false positive rate. Even for true positives,
> do you have the customer care resources to notify your users and (if
> appropriate) hold their hands while they disinfect their machines.
it's enough of a pita to clean up the syslogs from all the 25k/day
password attacjs per host, when one does not have password ssh
even enabled.
randy
