[Snort-users] Error trapping signatures ...

Erek Adams erek at ...950...
Sun Jun 22 07:13:01 EDT 2003


On Sat, 21 Jun 2003, Jon Baer wrote:

> i was trying to rip through the archives to see what opinions existed for
> things like error trapping and could not find much i only joined the list
> not too long ago but im looking to see if there are any downsides to error
> trapping ...

[...snip...]

> i realize a dev box to have them set to pass vs. alert but is there a
> downside to having a handful of these type of alerts around?

Actaully check the archives for 'anomally detection' to get some other
ideas about ways to do this.

Basically, once you have a "known" network, it doesn't take much to get a
set of rules when you see "something that shouldn't be happening".  A nice
benefit of this is that once this is setup, any changes that are made to
the network (rouge server) become pretty obvious.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list