Snort mailing list archives

RE: RE: Network Behaviour Anomoly Detection

From: "Jerry Shenk" <jshenk () decommunications com>
Date: Thu, 24 Jun 2004 06:36:49 -0400

Have you looked at SHADOW (http://www.nswc.navy.mil/ISSEC/CID/)?  That
web site isn't really very good at explaining what it is but it
basically is an anomaly detection IDS.  It also works very well as a
complement to Snort on the same box.  It collects headers of all traffic
going in and out so that you have the ability to look at a signature hit
(i.e.. Snort) in context.  You can answer questions like, "Was the
traffic being initiated from the inside?", "How long has this been going
on?", "What related traffic might there be?", etc.

SHADOW also does some of what you're talking about.  There is an
end-of-day summary that chews through the entire days data and
calculates the number of packets, bytes transfers, breakdown of tcp,
udp, icmp, etc.  It also breaks the traffic down into which ports are
busiest, which internal or external IP is busiest.  Most of that
breakdown is both by Kbytes and by connections.

All the SHADOW data is stored in gzipped tcpdump files so if you want to
process it with some other software, that's a piece of cake.

SHADOW has seen a couple upgrades over the past few years and I think
it's a VERY good complement to any signature based IDS.  I have a couple
of them in and I'm sure that most of the IT staff doesn't go looking at
the summaries every day but I have a little script that grabs some key
indicators out of it.  The big payoff comes when something happens that
they want to track down.  I can go to SHADOW and find the detail they
were looking for.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Michael
Cunningham
Sent: Wednesday, June 23, 2004 11:31 PM
To: 'Jon Baer'; focus-ids () securityfocus com;
snort-users () lists sourceforge net
Subject: [Snort-users] RE: Network Behaviour Anomoly Detection

SPADE would be one example...

Ntop could be used for this...


Spade + Snort is good for looking for anomolous port scans that have
been 
randomized.. etc. 

Unfortunatly its not what I am looking for.. ntop can help track 
connections/ports but not provide the AI necessary to spot anmolies in
network
behaviour over time. 

I am really looking for something like Arbor Networks Peakflow X or
Q1 Labs Qradar products. Both of which are pretty pricey in these tight
budget times. 

They are designed to look at network connections between systems, 
what ports are used, how much traffic moves between systems, when all
this
occurs, etc.. Essentially they build up a profile of normal activity on
your

network over time.. and then if a something weird starts happening like
a
database 
starts talking to a system it never spoke to before, or a desktop starts
making connections to hundreds of production systems.. it alerts you
that something might be wrong. It's sorta like Sourcefires RNA product
but 
much more focused on the anomaly AI part of looking at the information
and 
much less focused on using network intelligence to correlate with ids
events. 

Anyone interested in starting up an opensource project to build
something
like this? 
I think it is the perfect complement to a signature based IDS system. It
can

detect traffic that looks normal to an IDS system but may actually be
malicious..
Example: a developer runs sql queries against your main production
database 
at 3am to steal all the credit cards from it and resell on the Internet.

An IDS system wouldn't normally say anything about this since it isnt a
defined 
signature event. But a Network Behaviour Anomaly detection system would
alert 
indicating that it is not normal for that developer workstation to be
making
a connection to 
a production Oracle server from their desktop at 3am and retrieveing
such a
large amount of data. 

Thanks,
Mike





-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Network Behaviour Anomoly Detection crayola (Jun 23)
- Re: Network Behaviour Anomoly Detection Jon Baer (Jun 23)
  - RE: Network Behaviour Anomoly Detection Michael Cunningham (Jun 23)
    - RE: RE: Network Behaviour Anomoly Detection Jerry Shenk (Jun 24)
    - Re: RE: Network Behaviour Anomoly Detection security (Jun 24)
    - Re: RE: Network Behaviour Anomoly Detection Martin Roesch (Jun 24)
    - Re: RE: Network Behaviour Anomoly Detection pieter claassen (Jun 26)
    - Re: RE: Network Behaviour Anomoly Detection security (Jun 30)
- <Possible follow-ups>
- RE: RE: Network Behaviour Anomoly Detection hugh_fraser (Jun 30)