Snort mailing list archives
Re: RE: Network Behaviour Anomoly Detection
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 24 Jun 2004 15:25:10 -0400
Hi Mike,
Anyone interested in starting up an opensource project to build somethinglike this?
FYI, Snort's stream4 module (and the new spp_flow) module is capable of logging the stats you mention for any flow that is observed, specifically start/stop time, src/dst IPs and ports, number of packets and number of bytes transferred, as well as IDS event stats and any other flags you care to hang off of them. For example, along with the flow record you could record the number of IDS events that fired for a given flow as well as any anomalies that were detected on that flow (e.g. fragmentation/tcp protocol anomalies, etc).
Snort's got 50% of what you want already, you could implement the anomaly detection as a preprocessor if you were so inclined...
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training.Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Network Behaviour Anomoly Detection crayola (Jun 23)
- Re: Network Behaviour Anomoly Detection Jon Baer (Jun 23)
- RE: Network Behaviour Anomoly Detection Michael Cunningham (Jun 23)
- RE: RE: Network Behaviour Anomoly Detection Jerry Shenk (Jun 24)
- Re: RE: Network Behaviour Anomoly Detection security (Jun 24)
- Re: RE: Network Behaviour Anomoly Detection Martin Roesch (Jun 24)
- Re: RE: Network Behaviour Anomoly Detection pieter claassen (Jun 26)
- Re: RE: Network Behaviour Anomoly Detection security (Jun 30)
- RE: Network Behaviour Anomoly Detection Michael Cunningham (Jun 23)
- Re: Network Behaviour Anomoly Detection Jon Baer (Jun 23)
- <Possible follow-ups>
- RE: RE: Network Behaviour Anomoly Detection hugh_fraser (Jun 30)