[Snort-users] question

Eric Garnel eric at ...9287...
Mon May 26 18:31:04 EDT 2003

The network that I manage is unique in that I often have "guests"
connecting to my access level switches for a short time only (1 to 5
days).  Occasionally, we get a guest machine that is infected and is
"blabbing" out to the internet.  It sometimes becomes an issue when
one of the groups such as abuse.net comes back with a complaint.
Usually, the client has moved on already and the offending address is
back in the pool.

Is snort the right tool and if so, does anyone have any pointers on
how to configure it to watch for outbound malicious traffic only
(scans, known signatures, etc.)? My 1st thought is to set the
HOME_NET to any and the EXTERNAL_NET to my dhcp address ranges.

I am trying to have a way of determining if there is malicious
activity stemming from my network before I have to hear about it from
someone else.


Eric Garnel CCNP, MCSE

eric at ...9287...



More information about the Snort-users mailing list