argus and snort ?

[Russell Fulton]

On Mon, 11 Sep 2000 18:02:13 -0700 (PDT) Peter Van Epp <vanepp at sfu.ca> 
wrote:

> 	To me as Russell says thats a different job than argus does at present,
> and I wouldn't stop running argus if I do choose to also run snort, NFR or
> Dragon because the latter 3 don't keep a record of everything on my net (as
> argus does) but only things they see as attacks. I'm currently unconvinced
> that they are going to be able to do a better job than argus however (nor 
> reduce the amount of my time required which is my boss's great hope for the 

I agree that it will *not* save time, even if you can get the false +ve 
rate down to something manageable.  (THe comercial product should be 
much better here than snort for this since they are doing much more 
analysis). I also agree that with an network IDS you still need argus 
so you can see the context of the incident which I believe is very 
important.

> 	As to Russell's attack, in my case one of the things I do on a semi
> regular basis is dump out all the telnets inbound to our machines. A sudden
> change in the traffic pattern (as in half the Internet suddenly connecting,
> or as little as one offsite connection to a machine that hasn't had one before)
> gets a query to the administrator.

Hmmm.... I would include ssh too, crackers seem to be quite worried 
about privacy these days ;-)

I have thought of doing this too but have not got around to it.  In 
this case it would not have helped (unless the attackers had made a lot 
of use of the machine) since there were regular telnet session from 
staff who were on leave and colaborators at other sites.  Sigh...

One thing I do do is dump all non http traffic to many of our publicly 
advertised web server.  I also try to get departments to consolidate 
web servers to dedicated systems that don't also host lots of other 
services. 

Cheers, Russell