[Snort-users] heavily switched networks

Erek Adams erek at ...950...
Wed Dec 24 07:51:00 EST 2003


On Wed, 24 Dec 2003, Stewart Larsen wrote:

> Well, you tell me.  As a network admin in charge of security, should I
> be worried about intra-network traffic?

Maybe.  The old statement about '80% of all attackers come from the
inside' is a bit dated.  It never was 100% true--Just true enough to make
people think.

Consider your network.  Consider your data.  Consider your users.  You may
want to think about running a second instance of Snort (with a small
ruleset) on your uplink, where you have you are watching what goes out to
the world.

> Would I be better off running a host-based IDS like tripwire on the
> servers I care about and only sniffing the uplink?

*shrug* If you're going that route, Tripwire or Aide are good choices.
You could also install Snort on the boxes, run with a very slimmed down
ruleset, and only watch that one host.  But that's a bit of 'data
overload'.

It's old but still true:

               1
Security == --------
            Convience

And the flip side to that is you have to make it "easy" or "convient" for
your security admin to monitor.  Otherwise you'll be getting reports that
no one ever looks at....

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list