>Sorry Kyle, this is in response to your mail, but not "directed" at you :)
>
>On Wed, 6 Sep 2000, Haugsness, Kyle wrote:
>
>> So if you need to watch some big pipes, start taking a look at other
>> products such as Network Flight Recorder (hi Marcus), Network Security
>> Wizards' Dragon, or even snort.
>
>Currently NFR's solution is also based on the load balancer. NFR admits
>that their product cannot accurately watch for things like portscans
>across multiple hosts in a load balanced setup:
>
>NFR's response to me:
># Just following up to make sure you got my last email (about 2 weeks ago)
># saying that you were correct in that our load balancing solution would
># not work in the situation you described.
><snip>
># However, this still works fairly well because generally portscans
># involve a large number of ports.
><snip>
>
>I'm not sure which Internet that NFR's connected to, but it must be
>something other than the one I'm on. Programs like wu-scan exist for the
>sole purpose of doing single port scanning across entire network segments
>looking for hosts with a specific exploit. This is not the first program
>like this, nor will it be the last.
>
>Network-based IDS seems to still be aimed at the small network, although
>every commercial host-based IDS I've found doesn't include port-level
>watching on the host. I'd really like one of the commercial IDS people
>make a host IDS with port-level detection built in, but I've yet to find
>one... unless you run the FREEWARE portsentry (unix-only) with it,
>then most commercial IDS can watch logs and report.. but at that point,
>why bother since portsentry can already run custom commands on it's
>own (like e-mailing the NOC that scans are in progress).
>
feather-weight intrusion detection:
Well, I've maintained a port scan detector since 1996 or so. But it only works
on Solaris/SunOS (written in DLPI - so should be portable
to other DLPI OS filter stacks). Then there's courtney and
gabriel which are sort of amalgamations of Perl and tcpdump.
That combined with snort provides you with poor-man's host-based detection.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
