Re: [Snort-users] Security Audit
This is a discussion on Re: [Snort-users] Security Audit within the Snort forums, part of the System Security and Security Related category; <plug type=shameless> http://www.boseco.com/index.php?name...viewtopic&t=31 </plug> Please ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-11-2004
|
|||
|
|||
Re: [Snort-users] Security Audit
<plug type=shameless>
http://www.boseco.com/index.php?name...viewtopic&t=31 </plug> Please note that it's Frank Knobbe that originally wrote that piece and I just have it on my site because it's nice ;) Best regards Michael Boman On Fri, 10 Dec 2004 22:11:00 -0700, Steven Crandell <steven.crandell@gmail.com> wrote: > Greetings all, > > First off, thank you, to everyone who has dedicated their time and > talents to building snort. Your efforts are, by any measure, hugely > successful and greatly appreciated. > > My situation in short: > Tomorrow my company will endure our quarterly security audit. The > president of the company isn't terribly worried about our IDS most of > the time, however when the audits occur, he's intensely interested in > making sure that our IDS sees every bit of traffic involved in the > audit. > > The 3rd party performing the audit has, once in the past, managed to > perform their audit without being detected by our IDS. I would like > to make sure this doesn't happen again. > So, can anyone recommend any tips to making sure that we detect scans > (even really slow, stealth scans) from behind a firewall that only > permits traffic across ports 80 and 22? > > Given that I have the source ip from which the audit will originate, I > can and certainly will, write a simple rule to capture and log all > traffic from the IP in question. This is, of course, not possible in > the process of day-to-day detection. > > I wonder if any of you have any words of wisdom to help me overcome this issue. > > It may be worth noting that: > -I'm dealing with a class C network > -I am using the flow-portscan preprocessor already > > Thank you in advance. > > Very best regards, > > -- > Steven Crandell > steven.crandell@gmail.com > > "Getting an ethics lesson from the guy who cracked > makelovenotspam.com.........priceless" ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
