Comments on: Less Is More http://newschoolsecurity.com/2009/11/less-is-more/ The Blog Inspired By The Book Tue, 07 Feb 2012 02:09:16 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Christopher Porter http://newschoolsecurity.com/2009/11/less-is-more/#comment-552 Christopher Porter Wed, 25 Nov 2009 19:33:51 +0000 http://newschoolsecurity.com/?p=1058#comment-552 I suppose this is another way of saying "know your business" or "know your network". In our DBIR, this would fall into this bucket: "Define “suspicious” and “anomalous” (then look for whatever “it” is):" I suppose this is another way of saying “know your business” or “know your network”.

In our DBIR, this would fall into this bucket: “Define “suspicious” and “anomalous” (then look for whatever “it” is):”

]]> By: Andy Steingruebl http://newschoolsecurity.com/2009/11/less-is-more/#comment-550 Andy Steingruebl Wed, 25 Nov 2009 16:54:04 +0000 http://newschoolsecurity.com/?p=1058#comment-550 The best IDS configuration I ever ran was the SHADOW package that Northcutt's team put together way back when. All it was was a bunch of tcpdump filters that you could define for profile of normal traffic, and it would alert you to anything not matching the pattern. Web server making outbound connections of any sort. Connects to hosts on ports you weren't expecting etc. The only useful IDS package I ever used. The best IDS configuration I ever ran was the SHADOW package that Northcutt’s team put together way back when. All it was was a bunch of tcpdump filters that you could define for profile of normal traffic, and it would alert you to anything not matching the pattern.

Web server making outbound connections of any sort.
Connects to hosts on ports you weren’t expecting
etc.

The only useful IDS package I ever used.

]]>