[Snort-users] What am I Protecting Against?
hackerwacker at ...3784...
Tue Jun 3 00:15:10 EDT 2003
: Interestingly, I'm getting a mixture of somewhat-conflicting answers to
: my question -- all of which are, I think, right.
Each network is different; each with its own policies
and needs. Your needs are different from mine, as are our networks.
To me, Snort is much more than an IDS. Rules
for normal traffic, like formmail.pl, zone transfers,
robots.txt, ect provide me with useful information.
Some, like formmail rules, tell me when things get excessive
& might signal an exploit.
The zone transfer rule lets me keep up with many primary and secondary
NS'es without greping lots of logs. Right now I am using a NNTP rule
to ID the users that are hogging transit bandwidth because they don't
we have a local news server. A web client wanted to know when they got indexed,
so I used the robots.txt rule to provide this info.
More information about the Snort-users