IDS mailing list archives
RE: Symantec Manhunt
From: "Mariusz Burdach" <M_Burdach () compfort pl>
Date: Tue, 2 Dec 2003 09:09:58 +0100
Hi, Everything included in letters from Johann and Fergus and more: If you want to implement ManHunt 3.0 you have to think about external database like MySQL or Oracle. The best solution is to forward events from MH to SESA (Symantec Enterprise Security Architecture). Additionally, events from MH are normalized and can be used by Incident Manager (another Symantec product). I also suggest to install MH on Red Hat (with proper amount of RAM) - if you are going to install MH on INTEL platform. During tests performed in our lab MH on Intel Solaris has problems with speed. For instance during the fragroute tool using (to fragment packets). MH is well integrated with Symantec honeypot/honeynet system: Decoy Server. All events from Decoy Server are send to MH without help any of smart agents (MSA). But for administration propose you have to use two independent consoles. And the last information: you must use signatures which are updated by Symantec every few days. PAD (Protocol Anomaly Detection) is excellent method but it is not sufficient. PS. Take a look at Gigabit IDS group test: http://www.nss.co.uk/ I hope this helps... -----Original Message----- From: Fergus Brooks [mailto:fergusb () evolve-online com] Sent: Friday, November 28, 2003 8:26 AM To: 'Johann van Duyn'; 'Duston Sickler' Cc: focus-ids () securityfocus com; 'David Sayers -- Home' Subject: RE: Symantec Manhunt Everything Johann said and more: We implemented Manhunt 2.2 running Solaris 8 x86 for a bank about 9 months ago. The key things they wanted were to not have to mess about too much with Solaris and a reliable solution. We didn't want to spend too much time in support. That is what they/we have got. I spent a few hours with them showing them how to apply filters and some other stuff. I went in there a few months ago to show them how to do some maintenance and they had already filtered all their irrelevant traffic and had their one sensor (DMZ) only telling them what they wanted to hear. They are so happy with it that we have started discussing a bigger box running v.3 and sto monitor their entire network using 8 100meg sensor interfaces (it can take 12 per node - 128 nodes in a cluster) with some network roaming through auto-manipulation of their Cisco gear. It is a great NIDS and is scaleable, easy to set up and (I think) most importantly easy to tune and keep tuned. Test data that I have seen shows that it really can go to 2gbps monitored traffic per node and beyond. One thing to be careful about - if you are planning to use the MSAs' (smart agents for obtaining and correlating other product's events - there are ones for ISS, Netscreen, Snort, Dragon etc...) then ensure that the MSA supports your exact version of software. We have been burnt a few times telling clients that it will take alerts from, say, FW-1 via OPSEC only to find that it is not the right version of FW-1. Also take very good heed of the hardware configuration guide - I highly advise using something on the supported list even if it is not as fast and flashy as currently possible. Hope this helps your decision - all the best - rgds... -----Original Message----- From: Johann van Duyn [mailto:Johann_van_Duyn () bat com] Sent: Thursday, 27 November 2003 2:05 AM To: Duston Sickler Cc: focus-ids () securityfocus com; David Sayers -- Home Subject: Re: Symantec Manhunt Using it. Loving it. Nuff sed? I have it set up in conjunction with a few Network Critical taps (meaning that every interface sees only one half of the conversation), which means that the software's ability to cross-correlate is key to making any sense of the traffic it sees, and it does that bit really well. It also correlates events into incidents (giving you a shorter list of cr-p to sift through when chasing an incident) very well, although sometimes the correlation logic escapes me a bit. Depending on how much coffee I have had in the morning, this is not always difficult, though... Its ability to correlate events and incidents across multiple ManHunt nodes is impressive. A MAJOR PLUS is that you can define tons of monitoring interfaces on each ManHunt box and set them to sniff lots of different segments, and your license (MH is licensed according to the actual sniffed bandwidth it will see, NOT per interface) is then aggregated across all the interfaces. This is much cheaper than having to deploy, e.g., 8 separate sensors of most other products. We use Nortel switches, so we cannot make use of MH's ability to "browse" switches (by spanning switch ports over to its monitoring interfaces one by one) when it is not otherwise occupied, but its insight into our Cisco routers is very good, even though Networking sees it as cheeky that an IDS makes QoS suggestions. The signatures work very well, and Symantec have been quite quick in releasing signatures to complement the anomaly detection capabilities of the product. Both facets of the anomaly detection (protocol anomaly, which works out of the box, and traffic anomaly, which takes a while to settle into the environment and then complains about traffic pattern changes) also work very well in my environment. One thing I don't like is that it does not currently come out of the box with the ability to blacklist IPs on firewalls, and if you want to do that, you need to get the application that reconfigures the firewall and put it on the ManHunt box, calling it whenever you would want to blacklist an IP. This may not be something that you would use all the time, but in times of large breakouts it could come in handy. It integrates into SESA (Symantec Enterprise Security Architecture) now and one should be able to make SESA create blacklists on SGS or SEF firewalls (and maybe even FW-1 and PIX, with the necessary Event Managers for Firewalls) based on ManHunt outputs, but I have not played with that aspect of the product yet. Depending on how au fait you are with Linux/Solaris, and who will be supporting the IDS, you may want to push Symantec and ask them when it's going to be available as an appliance. Get a demo CD from Symantec and play with it... it's an insane product that achieves its goals in rather impressive style. YMMV, but I hope this helps... -------------------------------------------------------- J o h a n n v a n D u y n, CISSP IT Risk and Security Manager: British American Tobacco South Africa Stellenbosch, South Africa Tel. +27 (21) 8883765 Cel. +27 (82) 3248035 Fax. +27 (21) 8883587 eFax. +1 (509) 2785044 E:mail: johann_van_duyn () bat com -------------------------------------------------------- "...damage amounts in computer-related crime are often based on numbers plucked from thin air." -- Bruce Schneier Confidentiality Notice: The information in this document and attachments is confidential and may also be legally privileged. It is intended only for the use of the named recipient. Internet communications are not secure and therefore British American Tobacco does not accept legal responsibility for the contents of this message. If you are not the intended recipient,please notify us immediately and then delete this document. Do not disclose the contents of this document to any other person, nor take any copies. Violation of this notice may be unlawful. ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- -- This message has been scanned by AVMail ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: Symantec Manhunt Fergus Brooks (Dec 01)
- <Possible follow-ups>
- RE: Symantec Manhunt Mariusz Burdach (Dec 02)
- RE: Symantec Manhunt Hernansanz, Daniel (Dec 04)
- RE: Symantec Manhunt edward gonzales (Dec 04)
- RE: Symantec Manhunt Fergus Brooks (Dec 05)
- RE: Symantec Manhunt Johann van Duyn (Dec 05)
- RE: Symantec Manhunt simonis (Dec 05)
- RE: Symantec Manhunt Troy Pressley (Dec 05)