Re: Protocol Anomaly Detection IDS

[Frank Knobbe <fknobbe () knobbeits com>]

On Mon, 2003-02-10 at 20:04, Martin Roesch wrote:
> Just as an FYI, Snort can do protocol anomaly detection, through it's 
> rules-based engine, it's decoder and in its preprocessors.  Protocol 
> anomalies mean different things to different people, of course, so it 
> depends on what you're really looking for.
>
> People commonly think of Snort as a "signature based" IDS only, it's 
> actually capable of a lot more than that...


In addition, besides signatures and protocol anomaly, Snort can also be
used as a behavioral IDS. I have a habit of stressing the fact that
after a Snort install/setup in your network, one should strive to craft
additional Snort rules that define abnormal traffic, such as a web
server establishing connections to the outside, etc. Snort is very
capable of detecting abnormal traffic that way, and through it's
detailed logging can give you clues to what's going on).

Case in point: Just the other day, an engineer of a network vendor set
up a laptop on the perimeter of a company to do some maintenance, and
left the laptop hooked up overnight. Unfortunately, it was running an
anonymous-writable FTP server. Companys signature based IDS didn't
complain, but company's statistical IDS alerted to an FTP server which
wasn't of much concern to the company since they knew that this IP was
used by that laptop. Our Snort based appliance however picked up on the
fact that there was a) an abnormal, rogue FTP present, and b) that that
laptop was receiving parts of a Harry Potter movie in AVI form :) 
indicating an unsecure system (which our test confirmed). 


So, Snort is not just a signature and anomaly based IDS, it is also a
behavioral IDS. 


Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part