[afnog] Network Monitoring Tools
Phil Regnauld
regnauld at nsrc.org
Wed May 9 16:03:42 UTC 2012
Chris Wilson (chris+afnog) writes:
> >
> >If there are any signs of rogue network applications or malicious
> >activity on the network
>
> We don't use it, but when I worked for a network security company,
> we used Snort. It's free, reasonable, but needs very careful tuning
> to avoid false alarms. I also don't consider IDS particularly useful
> unless you either:
NetFlow will go a long way to help you identify anomalous network
usage as well.
> (1) automatically block it, and live with the consequences of
> blocking legitimate traffic whenever you get a false alarm; or
Well, it's still useful to know what's happening.
> (2) employ people ("investigators" or "enforcers" to jump on it as
> soon as it happens, and live with the cost of maintaining a team of
> them on call); or
>
> (3) you don't actually care about stopping it, but you want to be
> able to point fingers at someone else after the fact (CYA).
Audit trails are also useful, the intrusion may be a lead in
for something bigger, or just a good way to know what people
are looking for and fix things before they become a problem.
Phil
More information about the afnog
mailing list