[NBLUG/talk] Need advice on intrusion detection systems, etc.

Linford Mark mlinford at santarosa.edu
Tue Aug 2 09:40:29 PDT 2005

Good Morning, NBLUG-ites.

I'm looking for some intrusion detection system advice. In the past few months, I've noticed a drastic increase in the number of "attacks" against our network. Checking our logs from each evening, I see a variety of suspicious activity hitting our computers, including:

1. Numerous attempts to access many different ssh accounts from the same IP address over a short period of time
2. Email sent from a singular server to (mostly) non-existing addresses, some based on dictionary words (tom@, dick@, harry@, etc.), others obviously random (00s54qqq@, etc.).
3. Continuous attempts from particular IP addresses to run exploits against our web servers.

Unfortunately, these mostly happen in the middle of the night or over the weekend, when I'm (in theory) blissfully unaware. Of course, I only find these attacks out after the fact, when there's not much else I can do but clean up the damage and clear my logs.

So, I'm looking for something that can detect these types of network behaviors and can act on them automatically. Now, I'm peripherally familiar with Snort, but I think I need something a bit more flexible.

Here's an example: Let's say I have a email server that sends me 50 emails, to non-existing email addresses, within a short period of time. Obviously, this isn't a mistake - either someone's trying to mail bomb us, or they're running a dictionary attack and trying to harvest real email addresses. So, instead of letting this jerk continue to hammer our servers, I'd like to automatically block them from my network, either temporarily or until I can act on it (say, when I arrive the next morning). I don't think Snort can handle this type of request (though I could be wrong).

Any advice/product recommendations/etc. on how to proceed? Thanks!


More information about the talk mailing list