IDS mailing list archives
Re: Anamoly based network IDS
From: Lance Spitzner <lance () honeynet org>
Date: Thu, 27 Mar 2003 09:48:53 -0600 (CST)
On Wed, 26 Mar 2003, vishal p wrote:
Hi Lau Ker Chea To Understand anomaly base -ids , refer to the following link http://www.securityfocus.com/infocus/1663 his is the basic article which shows the difference between signature base IDS and protocol based IDS Anomaly IDS works on the protocol analysis only... Symantec MAnhunt is the good example for that..
Another good example of Anamoly Detection are honeypots. These are systems that have no authorized activity. Any connection to (or from) the honeypot is by definition an anamoly (making them very powerful detection solutions). In fact, Christian Kreibich has developed Honeycomb, a plugin for the honeypot Honeyd that not only detect and logs anamolous activity, but in real time generates IDS rules based on the activity (specifically Snort). Honeycomb/Honeyd http://www.citi.umich.edu/u/provos/honeyd/ch01-results/ lance http://www.tracking-hackers.com ----------------------------------------------------------- ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter Manipulation. http://www.spidynamics.com/mktg/webappsecurity71
Current thread:
- Anamoly based network IDS vishal p (Mar 27)
- Re: Anamoly based network IDS Lance Spitzner (Mar 27)
- <Possible follow-ups>
- RE: Anamoly based network IDS Graham, Robert (ISS Atlanta) (Mar 28)
- Re: Anamoly based network IDS Brian Hernacki (Mar 28)