[unisog] staffing levels

James Riden j.riden at massey.ac.nz
Wed Jul 6 05:07:04 GMT 2005

Russell Fulton <r.fulton at auckland.ac.nz> writes:

> I also run a bunch of snort sensors (ones on both sides of the
> perimeter firewall -- with different rules and some more scattered
> around the network).  I'd estimate I spend about 1-2 hours a day
> monitoring and keeping it going, but I *could* spend much more.  I
> primarily use snort as a sort of weather vane to see which way the
> wind is blowing.  So, although I see 1000s of alerts, I rarely
> follow stuff up.  There are a few exceptions -- when I see a local
> machine attacking lots of others then we know that we have a bot and
> it gets taken off the network.  There are a few other things that I
> do look for (like ftp servers running on high numbered ports).
> Currently we are waging war on music sharing and I have been
> directed to follow up all p2p traffic, this takes quite a lot of
> time.

Quite similar to Russell really - couple of hours a day chasing up
things which are of current concern - mostly used for squashing
internal viruses, worms and filesharing and also keeping an eye on the
kind of things which are making it inside the perimeter (SQL
injection, SSH password guessing and attacks like Slammer packets
which shouldn't have got through the firewall).

The firewall pulls its rulesets from a database so requires minimal

James Riden / j.riden at massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

More information about the unisog mailing list