I'd opt for e, that being...
Provide the capability to do _either_ a or b (basically an option c but with
selectivity.) Or, do one or both components of d. The idea being the ability
to selectively monitor the inside and/or the outside traffic.
> -----Original Message-----
> From: Jack McCauley [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, February 14, 2001 4:30 PM
> To: Justin Funke
> Cc: [EMAIL PROTECTED]
> Subject: Re: [e-smith-devinfo] Intrusion Detection System Dilemma
>
>
> Justin;
>
> Probably just my paranoia showing, but I like option c)
> the best with
> option d) a second choice.
>
> ----- Original Message -----
> From: "Justin Funke" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, February 14, 2001 2:24 PM
> Subject: [e-smith-devinfo] Intrusion Detection System Dilemma
>
>
> > I am just finishing my snort rpm for e-smith and have come
> across a big
> > option/configuration that I want to throw at the list for
> some feedback.
> >
> > I am trying to make the snort add-on a "boxed" rpm where it
> will work with
> > minimal configuration. I have made several (changeable)
> decisions based on
> > experience for some of the different options.
> >
> > For an Intrusion Detection System there are different ways
> of running it.
> >
> > a) Watch what the server firewall/IPchains lets through to
> the private
> > network and flag suspicious traffic based on that
> >
> > b) Watch all traffic on the public side of the firewall to see what
> > suspicious traffic is coming to your firewall, even though
> most of it is
> > irrelevant garbage that gets blocked anyways
> >
> > c) Watch both, and log all the traffic to different log/report files
> >
> > d) ... a variance of option c but instead of running two
> full instances of
> > Snort have a full one running on the public side and a very
> specific small
> > instance running on the inside looking for anything that
> may slip through
> > the firewall, machines running Napster, MSN Messenger etc.
> / I also have
> > some custom rules that look for internal/external machines trying to
> access
> > e-smith-manager
> >
> > I have almost finished the package based on option A but now am
> considering
> > option D.
> >
> > If I have missed anything you think could be good for the
> package please
> > post and I will include it.
> >
> > Thanks,
> >
> > Justin Funke
> >
> > --
> > This list is archived
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
>
> --
> This list is archived
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
