Snort mailing list archives
RE: RE: Network Behaviour Anomoly Detection
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Thu, 24 Jun 2004 06:36:49 -0400
Have you looked at SHADOW (http://www.nswc.navy.mil/ISSEC/CID/)? That web site isn't really very good at explaining what it is but it basically is an anomaly detection IDS. It also works very well as a complement to Snort on the same box. It collects headers of all traffic going in and out so that you have the ability to look at a signature hit (i.e.. Snort) in context. You can answer questions like, "Was the traffic being initiated from the inside?", "How long has this been going on?", "What related traffic might there be?", etc. SHADOW also does some of what you're talking about. There is an end-of-day summary that chews through the entire days data and calculates the number of packets, bytes transfers, breakdown of tcp, udp, icmp, etc. It also breaks the traffic down into which ports are busiest, which internal or external IP is busiest. Most of that breakdown is both by Kbytes and by connections. All the SHADOW data is stored in gzipped tcpdump files so if you want to process it with some other software, that's a piece of cake. SHADOW has seen a couple upgrades over the past few years and I think it's a VERY good complement to any signature based IDS. I have a couple of them in and I'm sure that most of the IT staff doesn't go looking at the summaries every day but I have a little script that grabs some key indicators out of it. The big payoff comes when something happens that they want to track down. I can go to SHADOW and find the detail they were looking for. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Michael Cunningham Sent: Wednesday, June 23, 2004 11:31 PM To: 'Jon Baer'; focus-ids () securityfocus com; snort-users () lists sourceforge net Subject: [Snort-users] RE: Network Behaviour Anomoly Detection
SPADE would be one example...
Ntop could be used for this...
Spade + Snort is good for looking for anomolous port scans that have been randomized.. etc. Unfortunatly its not what I am looking for.. ntop can help track connections/ports but not provide the AI necessary to spot anmolies in network behaviour over time. I am really looking for something like Arbor Networks Peakflow X or Q1 Labs Qradar products. Both of which are pretty pricey in these tight budget times. They are designed to look at network connections between systems, what ports are used, how much traffic moves between systems, when all this occurs, etc.. Essentially they build up a profile of normal activity on your network over time.. and then if a something weird starts happening like a database starts talking to a system it never spoke to before, or a desktop starts making connections to hundreds of production systems.. it alerts you that something might be wrong. It's sorta like Sourcefires RNA product but much more focused on the anomaly AI part of looking at the information and much less focused on using network intelligence to correlate with ids events. Anyone interested in starting up an opensource project to build something like this? I think it is the perfect complement to a signature based IDS system. It can detect traffic that looks normal to an IDS system but may actually be malicious.. Example: a developer runs sql queries against your main production database at 3am to steal all the credit cards from it and resell on the Internet. An IDS system wouldn't normally say anything about this since it isnt a defined signature event. But a Network Behaviour Anomaly detection system would alert indicating that it is not normal for that developer workstation to be making a connection to a production Oracle server from their desktop at 3am and retrieveing such a large amount of data. Thanks, Mike ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Network Behaviour Anomoly Detection crayola (Jun 23)
- Re: Network Behaviour Anomoly Detection Jon Baer (Jun 23)
- RE: Network Behaviour Anomoly Detection Michael Cunningham (Jun 23)
- RE: RE: Network Behaviour Anomoly Detection Jerry Shenk (Jun 24)
- Re: RE: Network Behaviour Anomoly Detection security (Jun 24)
- Re: RE: Network Behaviour Anomoly Detection Martin Roesch (Jun 24)
- Re: RE: Network Behaviour Anomoly Detection pieter claassen (Jun 26)
- Re: RE: Network Behaviour Anomoly Detection security (Jun 30)
- RE: Network Behaviour Anomoly Detection Michael Cunningham (Jun 23)
- Re: Network Behaviour Anomoly Detection Jon Baer (Jun 23)
- <Possible follow-ups>
- RE: RE: Network Behaviour Anomoly Detection hugh_fraser (Jun 30)