From: Jeffrey Sewell (jeffrey_sewell@xxxxxxxxx)
Date: Mon Dec 10 2001 - 13:13:10 GMT-3
Download snort (www.snort.org). It's an IDS, and it's
free. And if, after using it, you still want to pay
for one (it, in my opinion, beats the hell out of any
that you can buy), tell management that it was an eval
copy...
Otherwise, as another respondent suggested, start
sending the logs to a syslog server (you'll need to
log everything, not just deny events) and turn on
tcpdump on some unix/linux machine inside your
firewall and manually or--if you value your time and
sanity--with a script, start pouring over the logs
from both, looking for scans of ip addresses and/or
ports and... well, the art of intrusion detection is
determining for *what*, exactly, to look. Start with
the incidents page (www.incidents.org).
>From a security standpoint it is harder to justify
*not* having an IDS. We are all constantly under
attack--but without an IDS how do we know that a
connection to port 80 is legitimate and not the latest
worm burrowing it's way in? Or out? Some form of an
IDS is the only way to determine if traffic which is,
by policy, allowed through the firewall is legitimate
or not. What good is a wall if there is no keeper at
the gate?
Sorry to meander--I've often found myself having to
justify IDS to management. Just trying to help prime
the pump for you--I know what a fight it can be.
Jeffrey
--- "Dean, Justin" <Justin.Dean@nrtinc.com> wrote:
> Does anyone know how to see if your network is being
> attacked (or attemped
> to be attacked) from the internet, by looking at the
> PIX? Basically, I want
> to find some hard data that would justify looking
> into an IDS product.
> Thanks for any input. JD
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:41 GMT-3