9 Jun
2005
9 Jun
'05
2:50 p.m.
My suggestion, in the case that you'll use snort, is to do some extensive testing on a non-production network. Take the time to learn and understand its functionality and intended purpose. Also figure out what you're going to do with the output. Do you have the resources to investigate apparent misbehavior? Remember that any IDS will have a certain false positive rate. Even for true positives, do you have the customer care resources to notify your users and (if appropriate) hold their hands while they disinfect their machines.
it's enough of a pita to clean up the syslogs from all the 25k/day password attacjs per host, when one does not have password ssh even enabled. randy