TABLE OF CONTENTS This chapter covers how to get more information out of your passive detection systems. An organization s intrusion detection system (IDS) platform can be used for attack detection and can be leveraged to help in monitoring many different aspects: the health and wellness of a network, policy enforcement, policy effects, utilization of network resources, and providing better visibility of your network(s). All the solutions in this chapter are freeware and should be able to answer at least one of the following questions:
Do you know if an exploit worked on a victim on your network even if you don t have a signature for the exploit?
Can a tool like tcpdump be used to create an effective poor man s denial-of-service (DoS) detection tool in your network environment?
Can you tag and determine how much of your Web traffic is being used by malware and unauthorized software? Can you determine from network monitoring which machines on your network don t have the latest build of your corporate network software (Web clients, SSH clients, telnet/FTP clients, etc)?
Can you determine your top Web surfer and the site your users are browsing most?
Can you determine the top .com/.net/.edu/etc. site that your users are requesting? How much of that is malware? Can you use that information to create a blocklist of bad domains to kill malware before it has a chance to communicate outside your network(s)?
Can you determine how much mail your SMTP servers are processing? Who are the top sender and...
