IDS mailing list archives
Re: Protocol Anomaly Detection IDS
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 17 Feb 2003 22:29:48 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1No whitepapers, but the capability is pretty self evident if you understand how Snort works. I suppose I should probably write something up one of these days...
-Marty On Tuesday, February 11, 2003, at 03:16 PM, Curt Purdy wrote:
- -- Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616Are there any whitepapers on this capability?Also, I thought your panel discussion at D.C. SANS was great. Liked hearing what it is like straight from the entrepreneurial horses mouth, so to speak;) Curt Purdy CISSP, MCSE+I, CNE, CCDA Senior Systems Engineer Information Security Engineer DP Solutions cpurdy () dpsol com ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -----Original Message----- From: Martin Roesch [mailto:roesch () sourcefire com] Sent: Monday, February 10, 2003 8:05 PM To: slyph () alum mit edu Cc: focus-ids () securityfocus com Subject: Re: Protocol Anomaly Detection IDS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just as an FYI, Snort can do protocol anomaly detection, through it's rules-based engine, it's decoder and in its preprocessors. Protocol anomalies mean different things to different people, of course, so it depends on what you're really looking for. People commonly think of Snort as a "signature based" IDS only, it's actually capable of a lot more than that... -Marty On Tuesday, February 4, 2003, at 11:07 PM, Michael L. Artz wrote:I am trying to supplement our existing signature based IDS (Snort, gotta love open source) with a protocol anomaly based one in a fairly large enterprise network. I am in the fairly early stages of research, so I guess that the first question would be, is it worth it? I hear the anomaly detection buzzword thrown around a lot these days, and can't quite get past all the marketing hype. From what I can tell, protocol anomaly detection seems to be the more promising than the statistical for detecting new or IDS-cloaked attacks. However the notion of "conforming to RFCs" leaves a lot of leeway for the vendors to play with. How well do these types of systems actually work? Does anyone have any recommendations as to which systems to look into/stay away from? Below is a list of some of the ones that looked like they might support protocol anomaly detection from their marketing hype, let me know if I left any out/incorrectly added any: Lancope Stealthwatch Tipping Point/UnityOne ISS RealSecure Guard Cisco IDS 4250 CA/eTrust IDS Intruvert Intrushield NFR Network Intrusion Detection System Netscreen/Onesecure IDP Symantec ManHunt Any clues or headstarts to get me pointed in the right direction would be great. Thanks -Mike- -- Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616 Sourcefire: Enterprise-class Intrusion detection built on Snort roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+SFpKqj0FAQQ3KOARAqstAJsENil79/rVhmInh/V3ooA7kuMa0wCeIj4Y GEOIYATApnZIasjE9OKnbF4= =QCxg -----END PGP SIGNATURE-----
Sourcefire: Enterprise-class Intrusion detection built on Snort roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+Uaixqj0FAQQ3KOARAvcUAJ94dGDJFlJSNdkeoQyeyX6CQWx+/gCcDmPT oJlCZTiDXXQRmMimlvePZY4= =sto6 -----END PGP SIGNATURE-----
Current thread:
- Protocol Anomaly Detection IDS Michael L. Artz (Feb 05)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 11)
- Re: Protocol Anomaly Detection IDS Frank Knobbe (Feb 11)
- RE: Protocol Anomaly Detection IDS Sonit Jain (Feb 12)
- Re: Protocol Anomaly Detection IDS Frank Knobbe (Feb 11)
- Re: Protocol Anomaly Detection IDS Yaakov Yehudi (Feb 11)
- <Possible follow-ups>
- RE: Protocol Anomaly Detection IDS Graham, Robert (ISS Atlanta) (Feb 06)
- RE: Protocol Anomaly Detection IDS Adam Powers (Feb 06)
- Re: Protocol Anomaly Detection IDS Jordan K Wiens (Feb 06)
- RE: Protocol Anomaly Detection IDS Andrew Plato (Feb 10)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 18)
- Re: Protocol Anomaly Detection IDS Robert Graham (Feb 20)
- Re: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 20)
- Re: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 20)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 20)
- Re: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 21)
- Re: Protocol Anomaly Detection IDS - Honeypots Gene Yoo (Feb 25)
- Re: Protocol Anomaly Detection IDS Robert Graham (Feb 20)
- Message not available
- Re: Protocol Anomaly Detection IDS - Honeypots Bob Radvanovsky (Feb 20)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 11)