Language Selection

English French German Italian Portuguese Spanish

When Snort is not enough

Filed under
Software

As an independent security consultant I offered a course to customers called Network Security Operations, which covered network-centric intrusion detection, response and forensics. Students often asked, "Is this the Snort course?" And I answered, "Not exactly, but you're probably in the right place."

I've been inspecting and acting upon network traffic for 10 years. When I tell people that I use network traffic as one means to detect and respond to intrusions, many respond by saying, "So you use Ethereal, right?" I find myself responding in a similar manner to the Snort question: "Not exactly, but sometimes."

Both of these questions point to customer perceptions of common ways to detect and respond to intrusions. The digital security field is incredibly complicated and anyone who claims to be a master of the entire field is a fool. In fact, mastery of any single subject might require such narrow focus as to be of little relevance to the remainder of the field. Those who are most successful have carved some niche out of the security landscape, but still understand the rest of the arena.

More Here




re: Snort

Snort is IDS (not IPS), and generates WAAAAAAAAAAY more false alarms then any real attacks.

The author states: "At the end of the day, you can never have enough data." - I guess that's true when you're a "security consultant" and charge by the hour to wade thru the reams of fluff looking for a line or two indicating a real attack (like SETI only not as exciting - or probable).

Firewalls are like windshields - they both catch a zillon nasties ON THE OUTSIDE. It's only when they come INSIDE do you have to worry.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Leftovers: Gaming

The First Vivid-Based Ubuntu Touch Image Has Been Released

As I have previously announced, the Ubuntu Touch development branch is based on Ubuntu 15.04 Vivid Vervet, while the Ubuntu RTM branch is still using Ubuntu 14.10 Utopic Unicorn as code base, because it has already received stability improvements and will by default on the first Ubuntu powered Meizu phone. Currently, all the new features are implemented on the Ubuntu-Devel branch, the RTM one receiving only fixes. Read more

Security-Minded Qubes OS Will Satisfy Your Yen for Xen

It has advanced far beyond the primitive proof of concept demonstrated more than four years ago. Release 2 (beta), which arrived in late September, is a powerful desktop OS. Qubes succeeds in seamless integrating security by isolation into the user experience. However, comparing Qubes to a typical Linux distro is akin to comparing the Linux OS to Unix. Read more

Sad News! ;-)

So, XP is dead, “7” is dying, “8” is a zombie, and “10” is vapourware with nowhere to call home. M$ continues layoffs. POOF! It all falls down. In the meantime Google and the OEMs will crank out many millions of ChromeBooks. Canonical, Linpus, RedHat, Suse… and the OEMs will crank out many millions of GNU/Linux PCs. Several OEMs will crank out many millions of GNU/Linux thin clients. Android/Linux will reverberate with another billion or so units of small cheap computers(tablets, smartphones). This looks like good news to me. Read more