Another benefit of Intrusion Detection Systems that wasn't mentioned is the ability to find misconfigured hosts withing your network. Our network is a hub and spokes design with a fast hub network covered by intrusion detection software. A couple of days ago I found SNMP queries seeming to be from a client in one region going to all machines on a subnet in another region. It was not an attack but a misconfigured Windows 98 box. Windows 98 will do SNMP tests on a subnet if it can't get Netbios response for name broadcasts. The Win98 box had an incorrect subnet mask and no WINS server settings so was broadcasting to an incorrect broadcast address. YEs it was a false positive, but even that alerted us to configuration problems and allowed us to give helpdesk support in handling client queries.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:56 PDT