Snort mailing list archives
Re: RE: Network Behaviour Anomoly Detection
From: security () jonbaer net
Date: Thu, 24 Jun 2004 07:08:02 -0400
I like this idea and was pretty much what I used Snort for in the beginning (detecting bad login attempts on production servers - something which should never happen) ... however ... what I think you describe and what pertains more to it is just building a better "security policy" around you network, you could probably build a GUI around Snort telling it about the policy ... that is what you really are keeping alerts for, anomalies against any given policy. Im not knocking you idea but it sounds more like an opportunity to apply the base of Snort to a tool which colaborates w/ people, procedures, and policy. - Jon On Wed, Jun 23, 2004 at 11:31:26PM -0400, Michael Cunningham wrote:
Anyone interested in starting up an opensource project to build something like this? I think it is the perfect complement to a signature based IDS system. It can detect traffic that looks normal to an IDS system but may actually be malicious.. Example: a developer runs sql queries against your main production database at 3am to steal all the credit cards from it and resell on the Internet. An IDS system wouldn't normally say anything about this since it isnt a defined signature event. But a Network Behaviour Anomaly detection system would alert
-- pgp key: http://www.jonbaer.net/jonbaer.asc fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47 ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Network Behaviour Anomoly Detection crayola (Jun 23)
- Re: Network Behaviour Anomoly Detection Jon Baer (Jun 23)
- RE: Network Behaviour Anomoly Detection Michael Cunningham (Jun 23)
- RE: RE: Network Behaviour Anomoly Detection Jerry Shenk (Jun 24)
- Re: RE: Network Behaviour Anomoly Detection security (Jun 24)
- Re: RE: Network Behaviour Anomoly Detection Martin Roesch (Jun 24)
- Re: RE: Network Behaviour Anomoly Detection pieter claassen (Jun 26)
- Re: RE: Network Behaviour Anomoly Detection security (Jun 30)
- RE: Network Behaviour Anomoly Detection Michael Cunningham (Jun 23)
- Re: Network Behaviour Anomoly Detection Jon Baer (Jun 23)
- <Possible follow-ups>
- RE: RE: Network Behaviour Anomoly Detection hugh_fraser (Jun 30)