[81437] in North American Network Operators' Group
Re: Using snort to detect if your users are doing interesting things?
daemon@ATHENA.MIT.EDU (Kim Onnel)
Thu Jun 9 16:30:08 2005
Date: Thu, 9 Jun 2005 23:29:37 +0300
From: Kim Onnel <karim.adel@gmail.com>
Reply-To: Kim Onnel <karim.adel@gmail.com>
To: Randy Bush <randy@psg.com>
Cc: "Steven M. Bellovin" <smb@cs.columbia.edu>, nanog@merit.edu
In-Reply-To: <17064.36708.170533.868874@roam.psg.com>
Errors-To: owner-nanog@merit.edu
------=_Part_1114_25163510.1118348977458
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
How about project Darknet and sinkholes and monitoring dark ip space, worms=
=20
and botnets usually scans blindly right and left, so there is a good chance=
=20
you will get a glimpse on infected hosts if thats what you want, i catch=20
infected hosts by looking at apache access logs and i see alot of scans,
and Randy for that i change the ssh port to a higher one :)
On 6/9/05, Randy Bush <randy@psg.com> wrote:
>=20
>=20
> >> My suggestion, in the case that you'll use snort, is to do some=20
> extensive
> >> testing on a non-production network. Take the time to learn and
> >> understand its functionality and intended purpose.
> > Also figure out what you're going to do with the output. Do you have
> > the resources to investigate apparent misbehavior? Remember that any
> > IDS will have a certain false positive rate. Even for true positives,
> > do you have the customer care resources to notify your users and (if
> > appropriate) hold their hands while they disinfect their machines.
>=20
> it's enough of a pita to clean up the syslogs from all the 25k/day
> password attacjs per host, when one does not have password ssh
> even enabled.
>=20
> randy
>=20
>
------=_Part_1114_25163510.1118348977458
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
How about project Darknet and sinkholes and monitoring dark ip space,
worms and botnets usually scans blindly right and left, so there is a
good chance you will get a glimpse on infected hosts if thats what you
want, i catch infected hosts by looking at apache access logs and i see
alot of scans,<br>
<br>
and Randy for that i change the ssh port to a higher one :)<br><br><div><sp=
an class=3D"gmail_quote">On 6/9/05, <b class=3D"gmail_sendername">Randy Bus=
h</b> <<a href=3D"mailto:randy@psg.com">randy@psg.com</a>> wrote:</sp=
an>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>>> My s=
uggestion, in the case that you'll use snort, is to do some extensive<br>&g=
t;> testing on a non-production network. Take the time to lea=
rn and
<br>>> understand its functionality and intended purpose.<br>> Als=
o figure out what you're going to do with the output. Do you hav=
e<br>> the resources to investigate apparent misbehavior? Rem=
ember that any<br>
> IDS will have a certain false positive rate. Even for true =
positives,<br>> do you have the customer care resources to notify your u=
sers and (if<br>> appropriate) hold their hands while they disinfect the=
ir machines.
<br><br>it's enough of a pita to clean up the syslogs from all t=
he 25k/day<br>password attacjs per host, when one does not have password ss=
h<br>even enabled.<br><br>randy<br><br></blockquote></div><br>
------=_Part_1114_25163510.1118348977458--
