Snort mailing list archives
Some thoughts on IDS types - request for clarification :)
From: Emre Bastuz <info () emre de>
Date: Thu, 12 Feb 2004 10:40:45 +0100
Hi, I´ve been Googling around for some details on using snort and what tools are available and would be best suited for my particular environment. Im just wondering if I got everything right or if there are major misunderstandings. Maybe some of you guys could comment on the following: There are basically three approaches on using Snort ... 1. Signature based IDS -> Snort is being used as a means of detecting known attacks. The gathered data can be used for statistical analysis, tracking down the reason for a problem in a network or for forensics after a successfull attack 2. Behavioural IDS -> For different types of hosts signatures need to be created to trigger an alarm when non regular traffic occurs. For webservers this might be connections to port 80, SSH for administration etc.. Seeing FTP or telnet is supposed to alert as this is not the 'normal' behaviour of this server type/host. Do I get it right that this 'behaviour' has to be modelled in the rules? Are there any approaches for automating this with a learning proccess? 3. Anomaly Detection/Statistics based IDS -> Setting thresholds for certain protocoll details enables to trigger alarms whenever the thresholds are exceeded. Anomalies might be '55 percent of the traffic is being consumed by connections to the dns server, whereas it is supposed to be only 20 percent' or 'FTP traffic from host A to the world is 20 Gig, whereas it was only 5 Gig in average during the last n months. It seems that the only statistical analyzer available for Snort is Spade from Silicon Defense. It looks like it´s not being maintained anymore so I´m wondering if there are any alternatives out there? Did any of you guys get Spade running with Snort 2.1.1RC? Did I get the definitions right? Seems there are quite some misleeding marketing buzzwords and ambiguities out there - hope I did not fall for them :) Thanks, Emre -- http://www.emre.de UIN: 561260 PGP Key ID: 0xAFAC77FD I don't see why some people even HAVE cars. -- Calvin ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56&alloc_id438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Some thoughts on IDS types - request for clarification :) Emre Bastuz (Feb 12)
- Re: Some thoughts on IDS types - request for clarification :) Matt Kettler (Feb 12)