[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dragonidsuser
Subject:    Re: [Dragonidsuser] Dealing with DHCP
From:       Jordan Wiens <numatrix () ufl ! edu>
Date:       2004-12-02 18:50:08
Message-ID: Pine.LNX.4.58.0412021344450.11368 () afybt ! areqp ! hsy ! rqh
[Download RAW message or body]

On Wed, 1 Dec 2004, Schuyler, Peter wrote:

> I have several Dragon Sensors in key positions around our corporate
> infrastructure, which I have tried to tune as best possible. The
> situation I have stems from the fact that our users workstations have
> IP's predominantly issued via DHCP, with a scattered static IP's being
> used. This prevents me from more finely tuning the sensors, because
> people go on vacation or travel for several weeks effectively voids the
> dragon filters I put in (for example IRC connections over a high port),
> because their IP changes when they return. This situation is compounded
> by the fact that people are constantly being moved from building to
> building, as remodeling and reorganization work completes.
> 
> I'm curious what methods or best practices have been developed by others
> responsible for IDS monitoring/tuning, to deal with this type of
> changing environment. While I've never worked in a university network
> setting, I would think that that environment would be similar in nature
> to mine, all be it on a larger scale. Any insights would be appreciated.

I know others have taken different measures, but what works for us here is
to actually leave a lot of the 'noise' in dragon.  We tune things, to be
sure, but all in all, we log lots of data that we know is a
false-positive, but we either screen it out visually (oh, that's such and
such department, doing the ssh-high port traffic they are always doing),
or with command-line scripts that just grep out the traffic we're used to
seeing.

That tends to be mostly for managed and server networks which are, by in
large, not vastly DHCP addresses (or are at least narrow enough that
filters on the local subnet are sufficient).  Student dorms, fraternities,
and all of the walkup ports are indeed dhcp'ed, however, and we do very
little tuning on those networks.

There's many thousands of users on those networks, so it's impossible for
us to try to track them individually, so we tend to leave end-user
tweaking alone, preferring instead to make changes as needed across the
board or not at all and again relying on the above mentioned ways of
ignoring 'usual' offenders (or their destination; for example, filter the
destination IRC servers with high port irc as opposed to your local
nomadic folks)

Hope that helps.

-- 
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061
_______________________________________________
Dragonidsuser mailing list

For help please follow the below instructions.
You can make subsciption adjustments via email by sending a message to:

  Dragonidsuser-request@enterasys.com

with the word `help' in the subject or body (don't include the quotes), and you will \
get back a message with instructions.

You must know your password to change your options (including changing the password, \
itself) or to unsubscribe.   If you forget your password, don't worry, you will \
receive a monthly reminder telling you what all your enterasys.com mailing list \
passwords are, and how to unsubscribe or change your options.  


[prev in list] [next in list] [prev in thread] [next in thread]