Re: RE: Network Behaviour Anomoly Detection

[Martin Roesch <roesch () sourcefire com>]

Hi Mike,

> Anyone interested in starting up an opensource project to build 
> something
> like this?

FYI, Snort's stream4 module (and the new spp_flow) module is capable of 
logging the stats you mention for any flow that is observed, 
specifically start/stop time, src/dst IPs and ports, number of packets 
and number of bytes transferred, as well as IDS event stats and any 
other flags you care to hang off of them.  For example, along with the 
flow record you could record the number of IDS events that fired for a 
given flow as well as any anomalies that were detected on that flow 
(e.g. fragmentation/tcp protocol anomalies, etc).

Snort's got 50% of what you want already, you could implement the 
anomaly detection as a preprocessor if you were so inclined...

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users