Extrusion detection (aka. ReverseIntrusionDetection) means turning an IntrusionDetectionSystem on its head so it watches for "bad" traffic leaving your network instead of bad traffic entering your network.
Below is a howto posted by TerrySchmidt on how he set up an ExtrusionDetection system on his node:
- Grab the latest version of Snort (www.snort.org), currently 1.8p1 (however I'm running 1.7)
- Grab the latest ruleset from www.snort.org (there are other snort rulesets available, I haven't determined which one best suites this projects needs).
- Whittle down the ruleset to just rules that only create True Positives (Not down to an exact since)
- Reverse the rules (done in just one place in the Snort configuration file) so that you monitor all traffic coming from your suspected hosts (probably wireless clients) against all the internet hosts.
- Set the parameters high enough so you don't get port scan false positives.
- Test the setup and monitor the rules for false positives.
- After you are satisfied, add Guardian (www.snort.org) which starts blocking IP addresses using IP chains of people triggering alerts. Be careful with the Guardian as you can block legitimate hosts, and even yourself if configured improperly.
(Added by AdamShand)