The problem with something like snort is when someone tries a code snippet like sneeze (http://www.securiteam.com/tools/5DP0T0AB5G.html) you will soon find that snort / acid has its draw back (even with many many filters it can be a hard thing to track legit traffic from sneeze traffic). Unless of couse snort has had upgrades to fix agaisn't sneeze like traffic =] This is of course, true for any sort of IDS. Cheers, M -----Original Message----- From: James Riden [mailto:j.riden(a)massey.ac.nz] At this site, snort/ACID is proving amazingly handy, especially when portscan.log is monitored as well, and for example we look at boxes which are racking up a lot of outbound firewall denies on 25/tcp and ports 135-139 etc. But then our network model is particularly snort-friendly. cheers, Jamie -- James Riden / j.riden(a)massey.ac.nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/