On Sat, 17 Jun 2000, Alan Mead wrote:
> I know it's not what the client asked for... but since its free and worked
> well for me, each of the client boxes should run portsentry to detect
> portscans.
>
> Is the DMZ a hubbed LAN? You could sniff all the traffic and try to match
> patterns. But really the better place for this would be on a firewall
> seperating the DMZ from the Internet.
>
Assuming the LAN is a single collision domain, as Alan asks, snort
(http://www.clark.net/~roesch/security.html) is an excellent tool. It is
basically a sniffer with a packet analysis engine. See
http://rootprompt.org/article.php3?article=520 for a good writeup on snort
and passive monitoring in general.
If the network is switched, you'd have to run snort on each segment or
connect the fortress to each segment.
HTH,
Bill Carlson
------------
Systems Programmer [EMAIL PROTECTED] | Opinions are mine,
Virtual Hospital http://www.vh.org/ | not my employer's.
University of Iowa Hospitals and Clinics |
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
