Language Selection

English French German Italian Portuguese Spanish

When Snort is not enough

Filed under

As an independent security consultant I offered a course to customers called Network Security Operations, which covered network-centric intrusion detection, response and forensics. Students often asked, "Is this the Snort course?" And I answered, "Not exactly, but you're probably in the right place."

I've been inspecting and acting upon network traffic for 10 years. When I tell people that I use network traffic as one means to detect and respond to intrusions, many respond by saying, "So you use Ethereal, right?" I find myself responding in a similar manner to the Snort question: "Not exactly, but sometimes."

Both of these questions point to customer perceptions of common ways to detect and respond to intrusions. The digital security field is incredibly complicated and anyone who claims to be a master of the entire field is a fool. In fact, mastery of any single subject might require such narrow focus as to be of little relevance to the remainder of the field. Those who are most successful have carved some niche out of the security landscape, but still understand the rest of the arena.

More Here

re: Snort

Snort is IDS (not IPS), and generates WAAAAAAAAAAY more false alarms then any real attacks.

The author states: "At the end of the day, you can never have enough data." - I guess that's true when you're a "security consultant" and charge by the hour to wade thru the reams of fluff looking for a line or two indicating a real attack (like SETI only not as exciting - or probable).

Firewalls are like windshields - they both catch a zillon nasties ON THE OUTSIDE. It's only when they come INSIDE do you have to worry.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

today's howtos

Raspberry Pi Zero: The Latest

Linux Foundation adds Open Networking Summit to event portfolio

The Linux Foundation is adding the Open Networking Summit to its event portfolio beginning with the next show scheduled for March 14 in Santa Clara, California. The ONS was initially started by companies focused on software-defined networking technologies to enable collaboration efforts centered on SDN, OpenFlow and network functions virtualization. Those events have seen collaborative efforts announced from the likes of AT&T, Google and the Linux Foundation. Read more

Richard Stallman Is Not The Father Of Open Source

Richard Stallman wants to make one thing completely clear: He is not the father. "I'm not the father of open source. If I'm the father of open source, it was conceived by artificial insemination without my knowledge or consent," he proclaimed from the keynote stage last month at Fossetcon 2015. It wasn't close to the strongest statement he made from that stage. Read more