Tina Bird said: >> As for Rodney's comment: For Network based ISDs, I think we need to >> not look at attacks, but look at abnormal traffic. EG: my web server >> should not do dns lookups. My mail server should not be ftping out. >> Nobody should be sshing/tsing into the DB server in the DMZ. My >> server should only send SYNACKs on port X,Y and Z. >> >> I'm pretty sure that snort could be made to do this - - but it doesn't >> do this today without some major rule foo. We're doing that right now with Snort. It works well - within a well-defined environment such as a DMZ - where hosts tend to be a bit more formally managed. In fact we have generalized the (snort) rules to alert whenever the IDS sees outgoing connections from *any* DMZ host that isn't a list of acceptable ports and/or end-hosts. i.e. we allow DMZ hosts to do Windows Update and talk to Redhat up2date servers - but we alert when they attempt any other outgoing connection. We have several networks with the same rules on, and it only triggers once every few weeks - when an admin decides to go do something on the web from a DMZ console... (followed by emails to a bunch of people apologizing for getting them paged for no good reason ;-). It works well because it has no False Positives - but it does have such false alarms :-) Jason Haar _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Nov 04 2003 - 09:04:06 PST