Educause Security Discussion mailing list archives

Re: Intrusion Detection/Prevention Devices and Worms

From: Gary Dobbins <dobbins () ND EDU>
Date: Wed, 27 Aug 2003 16:36:40 -0500

With several SNORT IDS sensors, we seem to have done OK at finding the
victims, and have configured 'sniping' to attempt to interfere with
the attack propagation to new victims. But, since intra-switch attacks
never become visible to the IDS sensors sitting at the tops of switch
trees, these happen out of sight.  We end up discovering the victims
after-the-fact when their probes pick more distant addresses to scan
and cause them to pass up the switch tree and past a sensor.
Detecting and sniping attacks between next-door neighbors would
require a sensor-per-switch it seems (in the absence of new spanning
magic).

O', for the days of hubs'n'segments.  <grin>

--

  ------------------------------------------------------------
  Gary Dobbins, CISSP -- dobbins () nd edu
  Director, Information Security
  University of Notre Dame, Office of Information Technologies
  Voice: 574.631.5554
  ------------------------------------------------------------


Andrew Watson wrote:

Has anyone had success using intrusion detection/prevention devices to
help with the recent MS worm outbreaks?  We were fortunate to be
evaluating a device from Tipping Point Technologies
(www.tippingpoint.com <http://www.tippingpoint.com/>) when the worms
hit.  It has been a very helpful tool for identifying and stopping
propagation of the worms, but I have found that its reporting
capabilities are very weak.  Any advice or experiences would be greatly
appreciated, as we will probably go ahead and purchase a device like
this before our evaluation period ends.



Sincerely,



Andrew Watson

Sr. Systems Administrator

Colorado College

14 E. Cache La Poudre

Colorado Springs, CO 80903

Email: awatson () coloradocollege edu <mailto:awatson () coloradocollege edu>

Phone: 719.389.6733

Fax: 719.389.6959



********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Intrusion Detection/Prevention Devices and Worms Andrew Watson (Aug 27)
- <Possible follow-ups>
- Re: Intrusion Detection/Prevention Devices and Worms Gary Dobbins (Aug 27)