IDS mailing list archives
RE: Anomaly Based Network IDS
From: "Shafi, Shahid" <sshafi () qualcomm com>
Date: Fri, 18 Jun 2004 23:53:35 -0700
Hi Drew, I am myself evaluating Mazu's profiler. Don't you think they should do more when it comes to packet inspection . I mean deep inspection and atleast alarm if something is not following published RFCs etc. Shahid -----Original Message----- From: Drew Simonis [mailto:simonis () myself com] Sent: Friday, June 18, 2004 10:35 AM To: Joe Dauncey; focus-ids () securityfocus com Subject: Re: Anomaly Based Network IDS ----- Original Message ----- From: Joe Dauncey Date: Fri, 18 Jun 2004 14:09:08 +0100 To: focus-ids () securityfocus com Subject: Anomaly Based Network IDS
Hi, I am interested in views on anomaly-based Network IDS. ... I suppose my defintion of anomaly based is that it discovers attacks
based on sampling and analysing
the network traffic and identifying anomalies on the norm, rather than
relying on a specific external
signature to tell it what to look for. I'm thinking that this would really have to be incredibly
sophisticated as it's going to vary for every
network environemtn, and could potentially generate a lot of false
positives.
I'm especially interested in anything that would claim to be able to
detect a worm attack (and even
prevent it) without knowing about it already - i.e. through a
signature.
You'll want to look at a couple of things. First, there are protocol anomaly IDS, such as Symantec Manhunt. These detect deviations from published RFCs and report on that. They can detect attacks absent a signature, but are prone to false positives. They take some tuning and decently skilled analysts. Second, (and I think what you seem to want) you'll want to look at profiling systems. My favorite is the aptly named "Profiler" by Mazu Networks. It can, as you ask, detect worm activity absent any information, and (a set apart feature from the others in this space, IMO) has a dynamic baseline. I use it, and I like it. -Ds ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Anomaly Based Network IDS Joe Dauncey (Jun 18)
- RE: Anomaly Based Network IDS Mike Lyman (Jun 21)
- RE: Anomaly Based Network IDS Sasha Romanosky (Jun 24)
- Re: Anomaly Based Network IDS Thomas Ptacek (Jun 25)
- <Possible follow-ups>
- Re: Anomaly Based Network IDS Drew Simonis (Jun 18)
- Re: Anomaly Based Network IDS Jose Nazario (Jun 22)
- RE: Anomaly Based Network IDS Shafi, Shahid (Jun 22)
- RE: Anomaly Based Network IDS Joshua Berry (Jun 22)
- Re: Anomaly Based Network IDS Aaron Jordan (Jun 22)
- RE: Anomaly Based Network IDS Drew Copley (Jun 22)
- Re: Anomaly Based Network IDS Adam Powers (Jun 24)
- RE: Anomaly Based Network IDS David J. Meltzer (Jun 22)
- RE: Anomaly Based Network IDS crayola (Jun 22)
- RE: Anomaly Based Network IDS Drew Copley (Jun 23)
- Re: Anomaly Based Network IDS Barry Fitzgerald (Jun 24)
- RE: Anomaly Based Network IDS Wozny, Scott (US - New York) (Jun 23)
- Re: Anomaly Based Network IDS Ramoni (Jun 24)
(Thread continues...)