> IMHO the first step in developing any type of intrusion >detection package is knowing what to look for i.e. knowing what an >intrusion looks like. There is another approach. That is to know what "NORMAL" operation looks like and to report on exceptions. Just my 2 cents worth Andrew ---------------------------------------------------------------------- Andrew PRUSEK Phone: +61 86 40 4590 BHP Information Technology Fax: +61 86 40 4720 PO Box 21 / Port Augusta Road Email: andrewp@itwhy.bhp.com.au Whyalla SA 5600 Prefered OS: Linux Australia Disclaimer: My opinions are my own.