Snort mailing list archives

Re: Traffic anomaly detection

From: Frank Knobbe <fknobbe () knobbeits com>
Date: 12 Feb 2003 11:45:07 -0600

Why, thanks for the plug. ;)

Those behavioral rules are pretty much static. You have to tell Snort
what is normal and what not. Spade is pretty much dynamic, learning by
itself the normal traffic and then alerting on abnormal stuff (please
correct if that is wrong, James).

Either one has their own pros/cons. Those rules I'm referring to are no
replacement for Spade for above reason. Instead they should be used to
augment Spade. Or perhaps one starts off with those rules and then add
Spade. In either case, it reeks of classic defense in depth through
multiple layers or design.

Cheers,
Frank


On Wed, 2003-02-12 at 07:22, Erek Adams wrote:

On Wed, 12 Feb 2003, Joerg Weber wrote:

we are currently using snort with quite some success (and fun, I might
add). Now, I'm looking at SPADE and have no trouble finding traffic
using unused IP address or dead ports, etc.
What I'm trying to implement is the detection of 'unusual' traffic,
generated by an unknown worm, a warez server, etc.
I assume this is possible with SPADE, could someone confirm this?
If so, could someone share a config file and maybe some alert entry so I
can parse my logs/db for similar entries?


Have a read over an excellent post [0] by Frank Knobbe to the focus-ids
list.

To sum his post up, you don't need anything more than basic rules.  I'd
suggest running something like ntop [1] or Sniffer Pro (commercial) to get
a visual idea of who's on your net, what they are doing, and what "looks"
normal.  Once you've got that picture, tune your rulesets down to what is
"good" for you.  Then, since you know your websever should only accept
requests on port 80 and 22, and it should never initiate any outgoing
requests execpt for DNS you can write rules that flag any traffic other
than that.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]   http://marc.theaimsgroup.com/?l=focus-ids&m=104499996305316&w=2
[1]   http://www.ntop.org/ntop.html

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Traffic anomaly detection Joerg Weber (Feb 12)
- Re: Traffic anomaly detection Erek Adams (Feb 12)
  - Re: Traffic anomaly detection Frank Knobbe (Feb 12)
- Re: Traffic anomaly detection James Hoagland (Feb 12)
- <Possible follow-ups>
- RE: Traffic anomaly detection Bob McDowell (Feb 12)
- RE: Traffic anomaly detection Williams Jon (Feb 13)
  - RE: Traffic anomaly detection Erek Adams (Feb 13)