[NBLUG/talk] Need advice on intrusion detection systems, etc.

Mark Street mark at oswizards.com
Tue Aug 2 11:54:17 PDT 2005

"attacks"...  Sounds like some knob turning, probes, etc. ... which can be 
irritating and unsettling none the less.

Snort.....  I think you will find it infinitely more flexible than you ever 
thought possible.  Set some rules and some triggers to do just about anything 
you want.

The Snort 2.0 Intrusion Detection text is pretty good on getting you up and 
running.  I would recommend you get it and read it.

Portsentry is also a nice little tool.

On Tuesday 02 August 2005 09:40, Linford Mark wrote:
> Good Morning, NBLUG-ites.
> I'm looking for some intrusion detection system advice. In the past few
> months, I've noticed a drastic increase in the number of "attacks" against
> our network. Checking our logs from each evening, I see a variety of
> suspicious activity hitting our computers, including:
> 1. Numerous attempts to access many different ssh accounts from the same IP
> address over a short period of time 2. Email sent from a singular server to
> (mostly) non-existing addresses, some based on dictionary words (tom@,
> dick@, harry@, etc.), others obviously random (00s54qqq@, etc.). 3.
> Continuous attempts from particular IP addresses to run exploits against
> our web servers.

> So, I'm looking for something that can detect these types of network
> behaviors and can act on them automatically. Now, I'm peripherally familiar
> with Snort, but I think I need something a bit more flexible.
> Any advice/product recommendations/etc. on how to proceed? Thanks!

Mark Street, RHCE
Key fingerprint = 3949 39E4 6317 7C3C 023E  2B1F 6FB3 06E7 D109 56C0
GPG key http://www.oswizards.com/pubkey.asc

More information about the talk mailing list