First, he has a lot of sensors on the network. In every network segment there was TCPDump, a free, open source sniffer. He uses them to watch the network traffic and, when there was a virulent worm or virus, he whipped up a Perl script that looked for the signature and queried the logs from the TCPDump.

Earlier, he went to a lot of effort to document the network devices, from the student PCs in the dorms to the big iron in the data center, by IP address, MAC address and physical location. The various Perl scripts note the virus signature, note the IP address, cross reference using ARP logs to MAC address and physical location, and then go to the appropriate local switch and shut off access by the device to the network. All of this is automatic. It's a crude, but extremely effective, IPS.

My colleague is very clever. He looked at the problem, decided it was too much for one person to handle, and wrote a Perl script to do it for him. As far as I know there is not one piece of commercial software in this. If you check out today's crop of SIMs and IPSs, you'll find that they are anything but free (except Snort, of course).

This solution lets organizations with limited resources stop the bleeding without spending a fortune on products and services. It leverages the available time of the few people you have to manage security. The bottom line is that this is not the answer, but it is an answer. If we are clever, we'll get by. And sometimes getting by is the best we can manage, at least for awhile.