Extrusion detection (aka. reverse intrusion detection) is the process of turning an intrusion detection system on it's head so that it watches for "bad" traffic leaving your network instead of bad traffic entering your network.
Below is a brief how to posted by TerrySchmidt on how he setup up an ExtrusionDetection system on his node:
- Grab the latest version of Snort (www.snort.org) currently it is 1.8p1 (however I'm running 1.7)
- Grab the latest ruleset from www.snort.org (there are other snort rulesets available, I haven't determined which one best suites this projects needs).
- Whittle down the ruleset to just rules that only create True Positives (Not down to an exact since)
- Reverse the rules (done in just one place in the Snort configuration file) so that you monitor all traffic coming from your suspected hosts (probably wireless clients) against all the internet hosts.
- Set the parameters high enough so you don't get accidental portscan false positives.
- Test the setup and monitor the rules for false positives.
- After you are satisfied, add Guardian (www.snort.org) which starts blocking IP addresses using IP chains of people triggering alerts. Be careful with the Guardian as you can block legitament hosts, and even yourself if configured improperly.
(Added by AdamShand)