Re: Protocol Anomaly Detection IDS

[Jordan K Wiens <jwiens () nersp nerdc ufl edu>]

Moderator: The demo was 7 months ago, so I don't have the
details handy on the exact version information, but it was pre-symantec
ManHunt.

I've only demoed Manhunt among the PAD heavy IDS, and it appeared pretty
useless in our network. Unfortunately, vast quantities of network traffic
is not RFC compliant, so we were receiving hundreds of false-positives
every few seconds that were indistinguishable from events actually worth
looking at.  Lots of events like HTTP-PROT-VIOLATION or whatever they were
called doesn't exactly help.  Maybe there's some way to tweak it, just as
any signature and statistical based IDS usually requires an initial
investment in tweaking, but I tend to doubt it.

Signature based IDS will generate lots and lots of different events, and
worthwhile ones can get lost in the crowd, but the PAD as I saw it
generated many events of only a few different types, I just don't see how
useful info could be pulled out, though I hope someone else on the list has
better experiences.

I hope someone else had a better experience because Manhunt has so many
excellent features that even if its signature detection was more robust, we
considered getting it and just turning the PAD off.

--
jordan

On Tue, 4 Feb 2003, Michael L. Artz wrote:

> I am trying to supplement our existing signature based IDS (Snort, gotta
> love open source) with a protocol anomaly based one in a fairly large
> enterprise network.  I am in the fairly early stages of research, so I
> guess that the first question would be, is it worth it?