Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Protocol Anomaly Detection IDS

Re: Protocol Anomaly Detection IDS

From: Yaakov Yehudi <yehudi_at_tehila.gov.il>
Date: Tue, 11 Feb 2003 10:12:59 +0200

I think you would be wise to evaluate ForeScout's ActiveScout. I have been
using ActiveScout for well over a year. Especially since the last version
of the software, I have become quite impressed. Some of the bells and
whistles are very useful too.

Also you'll find that the guys at ForeScout are very interested in customer
feedback, and are frequently able to incorporate improvements when the next
version is
released.

I definitely suggest that you should request an evaluation version of the
software. And no, I am not associated with ForeScout in any way other that
as a user of the ActiveScout software.

Best Regards, Yaakov

At Wednesday 05/02/2003 06:07, Michael L. Artz wrote:
>Date: Tue, 04 Feb 2003 23:07:02 -0500
>From: "Michael L. Artz" <dragon_at_october29.net>
>Subject: Protocol Anomaly Detection IDS
>To: focus-ids_at_securityfocus.com
>Reply-To: slyph_at_alum.mit.edu
>Message-id: <3E408DE6.3050404_at_october29.net>
>MIME-version: 1.0
>Content-type: text/plain; charset=us-ascii; format=flowed
>Content-transfer-encoding: 7BIT
>X-Accept-Language: en-us, en
>User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030101
>X-Enigmail-Version: 0.71.0.0
>X-Enigmail-Supports: pgp-inline, pgp-mime
>
>I am trying to supplement our existing signature based IDS (Snort, gotta
>love open source) with a protocol anomaly based one in a fairly large
>enterprise network. I am in the fairly early stages of research, so I
>guess that the first question would be, is it worth it?
>
>I hear the anomaly detection buzzword thrown around a lot these days, and
>can't quite get past all the marketing hype. From what I can tell,
>protocol anomaly detection seems to be the more promising than the
>statistical for detecting new or IDS-cloaked attacks. However the notion
>of "conforming to RFCs" leaves a lot of leeway for the vendors to play
>with. How well do these types of systems actually work?
>
>Does anyone have any recommendations as to which systems to look into/stay
>away from? Below is a list of some of the ones that looked like they
>might support protocol anomaly detection from their marketing hype, let me
>know if I left any out/incorrectly added any:
Received on Feb 11 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]