On 6/22/05, Chris Buechler <cbuechler at gmail dot com> wrote:
> On 6/21/05, • • <googl3meister at gmail dot com> wrote:
> >
> >
> > What I am saying is that we make allowances based on conditions,
> > requirements and budget.  I have installed snort into the m0n0 image
> > myself and set it up syslogging to a central server.  I have no fears
> > of examing false positives because I have no services exposed and so
> > the firewall drops the packet anyway.  What I wanted was visibility
> > for R&D and that is all.  It works perfectly (thank you Manuel!).  I
> > have mitigating factors in place to guard against failures within
> > snort - it's defence in depth.  It takes time to tune it for it's
> > intended purpose, for certain, but the gain in information far exceeds
> > the blindlessness of not knowing what it is that ticks away at the
> > firewall all day.
> >
> 
> Then since you don't allow anything inbound, you're just doing it for
> the sake of seeing what's out there because you're curious.  That's
> much different than relying on it for detecting intrusions.  You're
> just using it as a Internet Crud Detector. (how about a new acronym,
> ICD!)  :)   You aren't going to detect any intrusions because you
> aren't allowing any of that traffic in.  A simple ICD is fine for the
> sake of the curious, but if you actually want to detect intrusions,
> it's of little value.
> 

I'm sorry but that's just not true - I still use it to get out...  I'm
sorry, but you don't appear to have much commercial experience with
snort.

--cheers
gm