From: John Beckett 

Richard B.  wrote in message
news::
> Have you ever tried Snort?

No. It was near the top of my to-do list for a while but then I heard this
stuff about how any IDS needs a lot of care-and-feeding. My very vague
impression was that you would need quite a discipline to keep the rules up
to date, and you would need to spend a fair bit of time perusing logs. You
would probably notice a lot of things that looked like disasters, then
after four hours research find an innocent explanation.

I'm sure that there are many people who have mastered Snort and know how to
drive it properly. If you find any, I would like to hear their story.

I have an ISA firewall running on a system linking a network to the
Internet. Initially I played with a VB script that added a rule to block
all traffic from any IP detected as the source of a scan. After a week
there were about 200 rules blocking individual IPs that in practice never
tried to enter the network again.

On one occasion someone managed to do some very fast scanning and my VB
script must have been invoked several times concurrently (i.e. it was
called again before the first instance had finished?). The result was not
pretty. I forget exactly what happened, but I think I had to reset the box.

John

--- BBBS/NT v4.01 Flag-5