Educause Security Discussion mailing list archives
Re: Intrusion Detection/Prevention Devices and Worms
From: Gary Dobbins <dobbins () ND EDU>
Date: Wed, 27 Aug 2003 16:36:40 -0500
With several SNORT IDS sensors, we seem to have done OK at finding the victims, and have configured 'sniping' to attempt to interfere with the attack propagation to new victims. But, since intra-switch attacks never become visible to the IDS sensors sitting at the tops of switch trees, these happen out of sight. We end up discovering the victims after-the-fact when their probes pick more distant addresses to scan and cause them to pass up the switch tree and past a sensor. Detecting and sniping attacks between next-door neighbors would require a sensor-per-switch it seems (in the absence of new spanning magic). O', for the days of hubs'n'segments. <grin> -- ------------------------------------------------------------ Gary Dobbins, CISSP -- dobbins () nd edu Director, Information Security University of Notre Dame, Office of Information Technologies Voice: 574.631.5554 ------------------------------------------------------------ Andrew Watson wrote:
Has anyone had success using intrusion detection/prevention devices to help with the recent MS worm outbreaks? We were fortunate to be evaluating a device from Tipping Point Technologies (www.tippingpoint.com <http://www.tippingpoint.com/>) when the worms hit. It has been a very helpful tool for identifying and stopping propagation of the worms, but I have found that its reporting capabilities are very weak. Any advice or experiences would be greatly appreciated, as we will probably go ahead and purchase a device like this before our evaluation period ends. Sincerely, Andrew Watson Sr. Systems Administrator Colorado College 14 E. Cache La Poudre Colorado Springs, CO 80903 Email: awatson () coloradocollege edu <mailto:awatson () coloradocollege edu> Phone: 719.389.6733 Fax: 719.389.6959 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Intrusion Detection/Prevention Devices and Worms Andrew Watson (Aug 27)
- <Possible follow-ups>
- Re: Intrusion Detection/Prevention Devices and Worms Gary Dobbins (Aug 27)