The problem with something like snort is when someone tries a code snippet
like sneeze (http://www.securiteam.com/tools/5DP0T0AB5G.html
) you will soon
find that snort / acid has its draw back (even with many many filters it can
be a hard thing to track legit traffic from sneeze traffic).
Unless of couse snort has had upgrades to fix agaisn't sneeze like traffic
This is of course, true for any sort of IDS.
From: James Riden [mailto:firstname.lastname@example.org]
At this site, snort/ACID is proving amazingly handy, especially when
portscan.log is monitored as well, and for example we look at boxes which
are racking up a lot of outbound firewall denies on 25/tcp and ports 135-139
etc. But then our network model is particularly snort-friendly.
James Riden / j.riden(a)massey.ac.nz / Systems Security Engineer Information
Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/