North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Using snort to detect if your users are doing interesting things?
In message <[email protected]als ec.com>, [email protected] writes: > > >As it was already noted, you need to be very careful about how you set >your IDS up, specifically if you choose snort. >Snort is a very powerful tool, when used correctly. Unfortunately, when >used incorrectly, it can hose your network over >completely. > >My suggestion, in the case that you'll use snort, is to do some extensive >testing on a non-production network. >Take the time to learn and understand its functionality and intended >purpose. > Also figure out what you're going to do with the output. Do you have the resources to investigate apparent misbehavior? Remember that any IDS will have a certain false positive rate. Even for true positives, do you have the customer care resources to notify your users and (if appropriate) hold their hands while they disinfect their machines. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb