Snort mailing list archives

Re: RE: Network Behaviour Anomoly Detection

From: security () jonbaer net
Date: Thu, 24 Jun 2004 07:08:02 -0400

I like this idea and was pretty much what I used Snort for in the beginning 
(detecting bad login attempts on production servers - something which should 
never happen) ... however ... what I think you describe and what pertains more 
to it is just building a better "security policy" around you network, you 
could probably build a GUI around Snort telling it about the policy ... that 
is what you really are keeping alerts for, anomalies against any given policy.  

Im not knocking you idea but it sounds more like an opportunity to apply the 
base of Snort to a tool which colaborates w/ people, procedures, and policy.

- Jon

On Wed, Jun 23, 2004 at 11:31:26PM -0400, Michael Cunningham wrote:


Anyone interested in starting up an opensource project to build something
like this? 
I think it is the perfect complement to a signature based IDS system. It can

detect traffic that looks normal to an IDS system but may actually be
malicious..
Example: a developer runs sql queries against your main production database 
at 3am to steal all the credit cards from it and resell on the Internet. 
An IDS system wouldn't normally say anything about this since it isnt a
defined 
signature event. But a Network Behaviour Anomaly detection system would
alert


-- 
pgp key: http://www.jonbaer.net/jonbaer.asc
fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Network Behaviour Anomoly Detection crayola (Jun 23)
- Re: Network Behaviour Anomoly Detection Jon Baer (Jun 23)
  - RE: Network Behaviour Anomoly Detection Michael Cunningham (Jun 23)
    - RE: RE: Network Behaviour Anomoly Detection Jerry Shenk (Jun 24)
    - Re: RE: Network Behaviour Anomoly Detection security (Jun 24)
    - Re: RE: Network Behaviour Anomoly Detection Martin Roesch (Jun 24)
    - Re: RE: Network Behaviour Anomoly Detection pieter claassen (Jun 26)
    - Re: RE: Network Behaviour Anomoly Detection security (Jun 30)
- <Possible follow-ups>
- RE: RE: Network Behaviour Anomoly Detection hugh_fraser (Jun 30)