Snort mailing list archives
Re: heavily switched networks
From: Erek Adams <erek () snort org>
Date: Wed, 24 Dec 2003 10:49:51 -0500 (EST)
On Wed, 24 Dec 2003, Stewart Larsen wrote:
Well, you tell me. As a network admin in charge of security, should I be worried about intra-network traffic?
Maybe. The old statement about '80% of all attackers come from the inside' is a bit dated. It never was 100% true--Just true enough to make people think. Consider your network. Consider your data. Consider your users. You may want to think about running a second instance of Snort (with a small ruleset) on your uplink, where you have you are watching what goes out to the world.
Would I be better off running a host-based IDS like tripwire on the servers I care about and only sniffing the uplink?
*shrug* If you're going that route, Tripwire or Aide are good choices. You could also install Snort on the boxes, run with a very slimmed down ruleset, and only watch that one host. But that's a bit of 'data overload'. It's old but still true: 1 Security == -------- Convience And the flip side to that is you have to make it "easy" or "convient" for your security admin to monitor. Otherwise you'll be getting reports that no one ever looks at.... Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- heavily switched networks Stewart Larsen (Dec 23)
- Re: heavily switched networks twig les (Dec 23)
- Re: heavily switched networks Stewart Larsen (Dec 24)
- Re: heavily switched networks Erek Adams (Dec 24)
- Re: heavily switched networks Stewart Larsen (Dec 24)
- Re: heavily switched networks Erek Adams (Dec 24)
- Re: heavily switched networks twig les (Dec 24)
- Re: heavily switched networks Stewart Larsen (Dec 24)
- Re: heavily switched networks twig les (Dec 23)
- <Possible follow-ups>
- heavily switched networks Russell Fulton (Dec 24)