IDS mailing list archives
RE: Anomaly Based Network IDS
From: "Joshua Berry" <jberry () PENSON COM>
Date: Fri, 18 Jun 2004 15:03:45 -0500
I think anomaly based engines are good when used in combination with other security information such as signature based events. Dragon is not anomaly based, it is signature based with the capability of detecting some protocol anomalies. -----Original Message----- From: Joe Dauncey [mailto:secdistlist () dauncey net] Sent: Friday, June 18, 2004 8:09 AM To: focus-ids () securityfocus com Subject: Anomaly Based Network IDS Hi, I am interested in views on anomaly-based Network IDS. A colleague has proposed that we look at using one, but I am not sure how advanced they are? If indeed any exist? I know that at least Enterasys Dragon NIDS claims to be anomaly based. I suppose my defintion of anomaly based is that it discovers attacks based on sampling and analysing the network traffic and identifying anomalies on the norm, rather than relying on a specific external signature to tell it what to look for. I'm thinking that this would really have to be incredibly sophisticated as it's going to vary for every network environemtn, and could potentially generate a lot of false positives. I'm especially interested in anything that would claim to be able to detect a worm attack (and even prevent it) without knowing about it already - i.e. through a signature. I know that there have been a few Host-based IDS that make this claim, but I'm looking for something that will look after a network infrastructure, rather than a subset of specific systems. Any thoughts or comments? Thanks, Joe -- Joe Dauncey ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Anomaly Based Network IDS Joe Dauncey (Jun 18)
- RE: Anomaly Based Network IDS Mike Lyman (Jun 21)
- RE: Anomaly Based Network IDS Sasha Romanosky (Jun 24)
- Re: Anomaly Based Network IDS Thomas Ptacek (Jun 25)
- <Possible follow-ups>
- Re: Anomaly Based Network IDS Drew Simonis (Jun 18)
- Re: Anomaly Based Network IDS Jose Nazario (Jun 22)
- RE: Anomaly Based Network IDS Shafi, Shahid (Jun 22)
- RE: Anomaly Based Network IDS Joshua Berry (Jun 22)
- Re: Anomaly Based Network IDS Aaron Jordan (Jun 22)
- RE: Anomaly Based Network IDS Drew Copley (Jun 22)
- Re: Anomaly Based Network IDS Adam Powers (Jun 24)
- RE: Anomaly Based Network IDS David J. Meltzer (Jun 22)
- RE: Anomaly Based Network IDS crayola (Jun 22)
- RE: Anomaly Based Network IDS Drew Copley (Jun 23)
- Re: Anomaly Based Network IDS Barry Fitzgerald (Jun 24)
- RE: Anomaly Based Network IDS Wozny, Scott (US - New York) (Jun 23)
- Re: Anomaly Based Network IDS Ramoni (Jun 24)
- RE: Anomaly Based Network IDS christian graf (Jun 24)
(Thread continues...)