North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Using snort to detect if your users are doing interesting things?

  • From: Kim Onnel
  • Date: Thu Jun 09 16:30:56 2005
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta;; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:references; b=nuk2oN/mcXOm8p9eRr2X2Jf0s39rqt2f8RXZdlY7TjDottiCBVr3YnViNG5eiBxykMAyFkley3d0Y/uqiH99OqErns3BjmR6TKuUEfNRVgePABHsWAhcVRkGUoAJ1PrWprigq2CoGABoAa1JIi6FhOgbeWlxFr19Kz4puHe8iCE=

How about project Darknet and sinkholes and monitoring dark ip space, worms and botnets usually scans blindly right and left, so there is a good chance you will get a glimpse on infected hosts if thats what you want, i catch infected hosts by looking at apache access logs and i see alot of scans,

and Randy for that i change the ssh port to a higher one :)

On 6/9/05, Randy Bush <[email protected]> wrote:

>> My suggestion, in the case that you'll use snort, is to do some extensive
>> testing on a non-production network.  Take the time to learn and
>> understand its functionality and intended purpose.
> Also figure out what you're going to do with the output.  Do you have
> the resources to investigate apparent misbehavior?  Remember that any
> IDS will have a certain false positive rate.  Even for true positives,
> do you have the customer care resources to notify your users and (if
> appropriate) hold their hands while they disinfect their machines.

it's  enough of a pita to clean up the syslogs from all the 25k/day
password attacjs per host, when one does not have password ssh
even enabled.