TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
We have RealSecure too and I'm currently setting up Shadow (TCPdump).
When is the best time to use Realsecure, Shadow, or snort. Shadow, I know is
not real-time.
Thanks,
Jaime
-----Original Message-----
From: Erickson Brent W KPWA [mailto:[EMAIL PROTECTED]]
Sent: Sunday, May 27, 2001 10:44 AM
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject: RE: User-Defined Connections Re:
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
Hello all,
We run two Snort systems and one Real Secure system. We have about 30 "tip
off" signatures for Real Secure for public web servers and other systems
that do and do not exist in our dmz.
When we do intrusion detection from home during the evenings and weekends,
as the Snort portscan pre-processor goes off and starts alerting us by
e-mail, the Real Secure tip off signatures also via e-mail, tell us what
port is being scanned so we do not have to download the Snort portscan log
from home to tell what port is being hit. This allows us to route null
possible serious attacks in progress very quickly.
Snort and Real Secure can be tuned to compliment each other quite well.
Hope this will help.
Sincerely,
Brent Erickson
> -----Original Message-----
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, May 25, 2001 9:59 PM
> To: [EMAIL PROTECTED]
> Subject: User-Defined Connections Re:
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
> to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
> problems!
> --------------------------------------------------------------------------
> --
>
> I routinely watch for connection atempts to addresses I own, but
> that don't currently have machines assigned. Perhaps 10% of the
> time, these turn out to reveal configuration errors; the other 90% of
> the time, they're intruders trying to *find out* what addresses have
> exploitable machines attached.
> So I'd say there's merit.
>
> David Gillett
>
>
>
> On 24 May 2001, at 10:07, Staci Marcum wrote:
>
> > Hi All,
> > My question is this. Is there merit in creating User Defined
> connections
> > to tell you when someone is trying to use IP's that you know your
> > organization does not. The way of thinking here is that anyone who hit
> these
> > IP's that you know are empty could possibly be a attacker. The other
> > question is if I make a user defined connection from any , to -my void
> IP,
> > service any. Will I be alerted? or am I doing it wrong.
> > Thanks to all!!!
>
>
>
