Re: Protocol Anomaly Detection IDS

[Martin Roesch <roesch () sourcefire com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

No whitepapers, but the capability is pretty self evident if you 
understand how Snort works.  I suppose I should probably write 
something up one of these days...

     -Marty

On Tuesday, February 11, 2003, at 03:16 PM, Curt Purdy wrote:

> Are there any whitepapers on this capability?
>
> Also, I thought your panel discussion at D.C. SANS was great.  Liked 
> hearing
> what it is like straight from the entrepreneurial horses mouth, so to 
> speak
> ;)
>
> Curt Purdy CISSP, MCSE+I, CNE, CCDA
> Senior Systems Engineer
> Information Security Engineer
> DP Solutions
> cpurdy () dpsol com
>
> ----------------------------------------
>
> If you spend more on coffee than on IT security, you will be hacked.
> What's more, you deserve to be hacked.
> -- White House cybersecurity adviser Richard Clarke
>
>
> -----Original Message-----
> From: Martin Roesch [mailto:roesch () sourcefire com]
> Sent: Monday, February 10, 2003 8:05 PM
> To: slyph () alum mit edu
> Cc: focus-ids () securityfocus com
> Subject: Re: Protocol Anomaly Detection IDS
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Just as an FYI, Snort can do protocol anomaly detection, through it's
> rules-based engine, it's decoder and in its preprocessors.  Protocol
> anomalies mean different things to different people, of course, so it
> depends on what you're really looking for.
>
> People commonly think of Snort as a "signature based" IDS only, it's
> actually capable of a lot more than that...
>
>       -Marty
>
>
> On Tuesday, February 4, 2003, at 11:07 PM, Michael L. Artz wrote:
>
> > I am trying to supplement our existing signature based IDS (Snort,
> > gotta love open source) with a protocol anomaly based one in a fairly
> > large enterprise network.  I am in the fairly early stages of
> > research, so I guess that the first question would be, is it worth it?
> >
> > I hear the anomaly detection buzzword thrown around a lot these days,
> > and can't quite get past all the marketing hype.  From what I can
> > tell, protocol anomaly detection seems to be the more promising than
> > the statistical for detecting new or IDS-cloaked attacks.  However the
> > notion of "conforming to RFCs" leaves a lot of leeway for the vendors
> > to play with.  How well do these types of systems actually work?
> >
> > Does anyone have any recommendations as to which systems to look
> > into/stay away from?  Below is a list of some of the ones that looked
> > like they might support protocol anomaly detection from their
> > marketing hype, let me know if I left any out/incorrectly added any:
> >
> > Lancope Stealthwatch
> > Tipping Point/UnityOne
> > ISS RealSecure Guard
> > Cisco IDS 4250
> > CA/eTrust IDS
> > Intruvert Intrushield
> > NFR Network Intrusion Detection System
> > Netscreen/Onesecure IDP
> > Symantec ManHunt
> >
> > Any clues or headstarts to get me pointed in the right direction would
> > be great.
> >
> > Thanks
> > -Mike
> - --
> Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
> Sourcefire: Enterprise-class Intrusion detection built on Snort
> roesch () sourcefire com - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (Darwin)
>
> iD8DBQE+SFpKqj0FAQQ3KOARAqstAJsENil79/rVhmInh/V3ooA7kuMa0wCeIj4Y
> GEOIYATApnZIasjE9OKnbF4=
> =QCxg
> -----END PGP SIGNATURE-----
- -- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+Uaixqj0FAQQ3KOARAvcUAJ94dGDJFlJSNdkeoQyeyX6CQWx+/gCcDmPT
oJlCZTiDXXQRmMimlvePZY4=
=sto6
-----END PGP SIGNATURE-----