Hi Jeff, > > - Put your own sniffer on the same subnet and log all traffic to the box. > > That's a bit beyond me at the moment; I have a book I'll look it up in. > Good idea, though I'm not sure I'm the one who wants to wade through the > logs <wry grin>.
Give Demarc a look (www.demarc.org). It's a web based frontend to Snort and I use it on my own machine. It logs to a MySQL database and depending on how good your Snort signatures are you'll get a pretty solid impression of what's going on in your subnet. Sure, there will be many reports to look after, but after a week or two you'll figure out that you don't need most of the rules and you drop 'em out - leaving only those items of interest you really want to know about. Demarc does quite a good job as it also helps to identify which websites and servers are running such horrible things as upload.cgi or formail.pl. Services which you usually only learn about when your disks are full, or when your Sendmail is putting in an extra shift or two. ;o) -- With best regards, Michael Stauber [EMAIL PROTECTED] Unix/Linux Support Engineer _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
