Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

focus-ids logo IDS mailing list archives

Re: Protocol Anomaly Detection IDS
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 10 Feb 2003 21:04:52 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Just as an FYI, Snort can do protocol anomaly detection, through it's rules-based engine, it's decoder and in its preprocessors. Protocol anomalies mean different things to different people, of course, so it depends on what you're really looking for.
People commonly think of Snort as a "signature based" IDS only, it's actually capable of a lot more than that... 

     -Marty


On Tuesday, February 4, 2003, at 11:07 PM, Michael L. Artz wrote:
I am trying to supplement our existing signature based IDS (Snort, gotta love open source) with a protocol anomaly based one in a fairly large enterprise network. I am in the fairly early stages of research, so I guess that the first question would be, is it worth it?
I hear the anomaly detection buzzword thrown around a lot these days, and can't quite get past all the marketing hype. From what I can tell, protocol anomaly detection seems to be the more promising than the statistical for detecting new or IDS-cloaked attacks. However the notion of "conforming to RFCs" leaves a lot of leeway for the vendors to play with. How well do these types of systems actually work?
Does anyone have any recommendations as to which systems to look into/stay away from? Below is a list of some of the ones that looked like they might support protocol anomaly detection from their marketing hype, let me know if I left any out/incorrectly added any: 

Lancope Stealthwatch
Tipping Point/UnityOne
ISS RealSecure Guard
Cisco IDS 4250
CA/eTrust IDS
Intruvert Intrushield
NFR Network Intrusion Detection System
Netscreen/Onesecure IDP
Symantec ManHunt
Any clues or headstarts to get me pointed in the right direction would be great. 

Thanks
-Mike
- -- Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616 
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+SFpKqj0FAQQ3KOARAqstAJsENil79/rVhmInh/V3ooA7kuMa0wCeIj4Y
GEOIYATApnZIasjE9OKnbF4=
=QCxg
-----END PGP SIGNATURE-----

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]