North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Using snort to detect if your users are doing interesting things?

  • From: Steven M. Bellovin
  • Date: Thu Jun 09 12:09:18 2005

In message <[email protected]als
ec.com>, [email protected] writes:
>
>
>As it was already noted, you need to be very careful about how you set 
>your IDS up, specifically if you choose snort.
>Snort is a very powerful tool, when used correctly.  Unfortunately, when 
>used incorrectly, it can hose your network over
>completely.
>
>My suggestion, in the case that you'll use snort, is to do some extensive 
>testing on a non-production network.
>Take the time to learn and understand its functionality and intended 
>purpose.
>

Also figure out what you're going to do with the output.  Do you have 
the resources to investigate apparent misbehavior?  Remember that any 
IDS will have a certain false positive rate.  Even for true positives, 
do you have the customer care resources to notify your users and (if 
appropriate) hold their hands while they disinfect their machines.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb