[Cialug] Intrusion Detection/Prevention
Academician Kula
kula at tproa.net
Fri Dec 9 15:46:42 CST 2005
On Fri, Dec 09, 2005 at 01:14:28PM -0800, Aaron Porter wrote:
>
> If a bank locks their vault at night, why have a security camera? IDS
> software can be really nice to keep an eye on your network; even if
> there is no hacking. I've run both Snort and Bro. Snort was nice
> because it was incredibly well supported and very well documented. Bro
> ([2]http://bro-ids.org/) is nice because rather than matching an
> exploit string can watch for a regex, but the most valuable feature to
> me is that it watches for "strange" traffic. SMTP/ssh/etc on odd
> ports, strange tcp connection patterns, etc. Sometimes it sends me
> scrambling after a Skype user by accident, but it does a pretty good
> job of filtering alerts.
Probably the best explanation I've heard for doing IDS or other network
monitoring is "how can you know when something weird is happening on
your network until you know what is /normal/ on your network?" For
example, here at ISU we keep track of the top network traffic generators.
When some random machine that we've never seen before pops up, it's an
indication to start wondering why that machine is all of a sudden generating
a large amount of traffic.
--
Thomas L. Kula | kula at tproa.net | http://kula.tproa.net/
Mathom House upon the Canw, The People's Republic of Ames
More information about the Cialug
mailing list