[Snort-users] Error trapping signatures ...
erek at ...950...
Sun Jun 22 07:13:01 EDT 2003
On Sat, 21 Jun 2003, Jon Baer wrote:
> i was trying to rip through the archives to see what opinions existed for
> things like error trapping and could not find much i only joined the list
> not too long ago but im looking to see if there are any downsides to error
> trapping ...
> i realize a dev box to have them set to pass vs. alert but is there a
> downside to having a handful of these type of alerts around?
Actaully check the archives for 'anomally detection' to get some other
ideas about ways to do this.
Basically, once you have a "known" network, it doesn't take much to get a
set of rules when you see "something that shouldn't be happening". A nice
benefit of this is that once this is setup, any changes that are made to
the network (rouge server) become pretty obvious.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users