RE: Symantec Manhunt

["Mariusz Burdach" <M_Burdach () compfort pl>]

Hi,

Everything included in letters from Johann and Fergus and more:

If you want to implement ManHunt 3.0 you have to think about external
database like MySQL or Oracle. The best solution is to forward events
from MH to SESA (Symantec Enterprise Security Architecture).
Additionally, events from MH are normalized and can be used by Incident
Manager (another Symantec product). 
I also suggest to install MH on Red Hat (with proper amount of RAM) - if
you are going to install MH on INTEL platform. During tests performed in
our lab MH on Intel Solaris has problems with speed. For instance during
the fragroute tool using (to fragment packets).
MH is well integrated with Symantec honeypot/honeynet system: Decoy
Server. All events from Decoy Server are send to MH without help any of
smart agents (MSA). But for administration propose you have to use two
independent consoles.
And the last information: you must use signatures which are updated by
Symantec every few days. PAD (Protocol Anomaly Detection) is excellent
method but it is not sufficient. 

PS. Take a look at Gigabit IDS group test: http://www.nss.co.uk/

I hope this helps...

-----Original Message-----
From: Fergus Brooks [mailto:fergusb () evolve-online com]
Sent: Friday, November 28, 2003 8:26 AM
To: 'Johann van Duyn'; 'Duston Sickler'
Cc: focus-ids () securityfocus com; 'David Sayers -- Home'
Subject: RE: Symantec Manhunt



Everything Johann said and more:

We implemented Manhunt 2.2 running Solaris 8 x86 for a bank about 9
months ago. The key things they wanted were to not have to mess about
too much with Solaris and a reliable solution. We didn't want to spend
too much time in support.

That is what they/we have got. I spent a few hours with them showing
them how to apply filters and some other stuff. I went in there a few
months ago to show them how to do some maintenance and they had already
filtered all their irrelevant traffic and had their one sensor (DMZ)
only telling them what they wanted to hear. 

They are so happy with it that we have started discussing a bigger box
running v.3 and sto monitor their entire network using 8 100meg sensor
interfaces (it can take 12 per node - 128 nodes in a cluster) with some
network roaming through auto-manipulation of their Cisco gear.

It is a great NIDS and is scaleable, easy to set up and (I think) most
importantly easy to tune and keep tuned. Test data that I have seen
shows that it really can go to 2gbps monitored traffic per node and
beyond.

One thing to be careful about - if you are planning to use the MSAs'
(smart agents for obtaining and correlating other product's events -
there are ones for ISS, Netscreen, Snort, Dragon etc...) then ensure
that the MSA supports your exact version of software. We have been burnt
a few times telling clients that it will take alerts from, say, FW-1 via
OPSEC only to find that it is not the right version of FW-1.

Also take very good heed of the hardware configuration guide - I highly
advise using something on the supported list even if it is not as fast
and flashy as currently possible.

Hope this helps your decision - all the best - rgds...



-----Original Message-----
From: Johann van Duyn [mailto:Johann_van_Duyn () bat com] 
Sent: Thursday, 27 November 2003 2:05 AM
To: Duston Sickler
Cc: focus-ids () securityfocus com; David Sayers -- Home
Subject: Re: Symantec Manhunt





Using it. Loving it.

Nuff sed?

I have it set up in conjunction with a few Network Critical taps
(meaning that every interface sees only one half of the conversation),
which means that the software's ability to cross-correlate is key to
making any sense of the traffic it sees, and it does that bit really
well.

It also correlates events into incidents (giving you a shorter list of
cr-p to sift through when chasing an incident) very well, although
sometimes the correlation logic escapes me a bit. Depending on how much
coffee I have had in the morning, this is not always difficult,
though... Its ability to correlate events and incidents across multiple
ManHunt nodes is impressive.

A MAJOR PLUS is that you can define tons of monitoring interfaces on
each ManHunt box and set them to sniff lots of different segments, and
your license (MH is licensed according to the actual sniffed bandwidth
it will see, NOT per interface) is then aggregated across all the
interfaces. This is much cheaper than having to deploy, e.g., 8 separate
sensors of most other products.

We use Nortel switches, so we cannot make use of MH's ability to
"browse" switches (by spanning switch ports over to its monitoring
interfaces one by one) when it is not otherwise occupied, but its
insight into our Cisco routers is very good, even though Networking sees
it as cheeky that an IDS makes QoS suggestions.

The signatures work very well, and Symantec have been quite quick in
releasing signatures to complement the anomaly detection capabilities of
the product. Both facets of the anomaly detection (protocol anomaly,
which works out of the box, and traffic anomaly, which takes a while to
settle into the environment and then complains about traffic pattern
changes) also work very well in my environment.

One thing I don't like is that it does not currently come out of the box
with the ability to blacklist IPs on firewalls, and if you want to do
that, you need to get the application that reconfigures the firewall and
put it on the ManHunt box, calling it whenever you would want to
blacklist an IP. This may not be something that you would use all the
time, but in times of large breakouts it could come in handy. It
integrates into SESA (Symantec Enterprise Security Architecture) now and
one should be able to make SESA create blacklists on SGS or SEF
firewalls (and maybe even FW-1 and PIX, with the necessary Event
Managers for Firewalls) based on ManHunt outputs, but I have not played
with that aspect of the product yet.

Depending on how au fait you are with Linux/Solaris, and who will be
supporting the IDS, you may want to push Symantec and ask them when it's
going to be available as an appliance.

Get a demo CD from Symantec and play with it... it's an insane product
that achieves its goals in rather impressive style.

YMMV, but I hope this helps...

--------------------------------------------------------
J o h a n n   v a n   D u y n, CISSP
IT Risk and Security Manager: British American Tobacco South Africa
Stellenbosch, South Africa Tel.  +27 (21) 8883765 Cel.  +27 (82) 3248035
Fax.  +27 (21) 8883587 eFax. +1 (509) 2785044
E:mail: johann_van_duyn () bat com
--------------------------------------------------------
"...damage amounts in computer-related crime are
 often based on numbers plucked from thin air."

                                                     -- Bruce Schneier


Confidentiality Notice: The information in this document and attachments
is confidential and may also be legally privileged. It is intended only
for the use of the named recipient. Internet
communications are not   secure and therefore British American
Tobacco does not accept legal responsibility for the contents of this
message. If you are not the intended recipient,please notify us
immediately and then delete this document. Do not disclose the contents
of this document to any other person, nor take any copies. Violation of
this notice may be unlawful.



------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

--
This message has been scanned by AVMail


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
---------------------------------------------------------------------------