Language Selection

English French German Italian Portuguese Spanish

When Snort is not enough

Filed under
Software

As an independent security consultant I offered a course to customers called Network Security Operations, which covered network-centric intrusion detection, response and forensics. Students often asked, "Is this the Snort course?" And I answered, "Not exactly, but you're probably in the right place."

I've been inspecting and acting upon network traffic for 10 years. When I tell people that I use network traffic as one means to detect and respond to intrusions, many respond by saying, "So you use Ethereal, right?" I find myself responding in a similar manner to the Snort question: "Not exactly, but sometimes."

Both of these questions point to customer perceptions of common ways to detect and respond to intrusions. The digital security field is incredibly complicated and anyone who claims to be a master of the entire field is a fool. In fact, mastery of any single subject might require such narrow focus as to be of little relevance to the remainder of the field. Those who are most successful have carved some niche out of the security landscape, but still understand the rest of the arena.

More Here




re: Snort

Snort is IDS (not IPS), and generates WAAAAAAAAAAY more false alarms then any real attacks.

The author states: "At the end of the day, you can never have enough data." - I guess that's true when you're a "security consultant" and charge by the hour to wade thru the reams of fluff looking for a line or two indicating a real attack (like SETI only not as exciting - or probable).

Firewalls are like windshields - they both catch a zillon nasties ON THE OUTSIDE. It's only when they come INSIDE do you have to worry.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

more of today's howtos

Leftovers: OSS and Sharing

Microsoft Begs, Bugs, and Bug Doors

  • Don't install our buggy Windows 10 Creators Update, begs Microsoft
    Microsoft has urged non-tech-savvy people – or anyone who just wants a stable computer – to not download and install this year's biggest revision to Windows by hand. And that's because it may well bork your machine. It's been two weeks since Microsoft made its Creators Update available, and we were previously warned it will be a trickle-out rather than a massive rollout. Now, Redmond has urged users to stop manually fetching and installing the code, and instead wait for it to be automatically offered to your computer when it's ready.
  • Microsoft Word flaw took so long to fix that hackers used it to send fraud software to millions of computers
    A flaw in Microsoft Word took the tech giant so long to fix that hackers were able to use it to send fraud software to millions of computers, it has been revealed. The security flaw, officially known as CVE-2017-0199, could allow a hacker to seize control of a personal computer with little trace, and was fixed on April 11 in Microsoft's regular monthly security update - nine months after it was discovered.

FOSS Licensing (and Lack Thereof)

  • Portugal to harmonise usability of govt portals
    All of the code, information and tools are made available for reuse.
  • JRC: ‘Releasing code without a licence hinders reuse’
    Projects that publish source code without a licence weaken the reusability of their code, warns Stefano Gentile, a copyright and trademark specialist working for the European Commission’s Joint Research Centre (JRC). Currently just 20 % of all projects published on GitHub, one of the most popular source code sharing platforms, have selected a licence for their work - down from about 60% in 2008, Gentile said, quoting numbers published in 2015 by GitHub.
  • React to React
    The Additional Grant of Patent Rights is a patent license grant that includes certain termination criteria. These termination criteria are not entirely unprecedented when you look at the history of patent license provisions in OSI-approved licenses, but they are certainly broader than the termination criteria [or the equivalent] in several familiar modern licenses (the Apache License 2.0, EPL, MPL 2.0, and GPLv3).
  • BetConstruct declares the source code for its front-end as open source
    The project is distributed under MIT license.