|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: Protocol Anomaly Detection IDS
Date: Tue Feb 11 2003 - 15:17:17 EST
On Mon, 2003-02-10 at 20:04, Martin Roesch wrote:
> Just as an FYI, Snort can do protocol anomaly detection, through it's
In addition, besides signatures and protocol anomaly, Snort can also be used as a behavioral IDS. I have a habit of stressing the fact that after a Snort install/setup in your network, one should strive to craft additional Snort rules that define abnormal traffic, such as a web server establishing connections to the outside, etc. Snort is very capable of detecting abnormal traffic that way, and through it's detailed logging can give you clues to what's going on).
Case in point: Just the other day, an engineer of a network vendor set up a laptop on the perimeter of a company to do some maintenance, and left the laptop hooked up overnight. Unfortunately, it was running an anonymous-writable FTP server. Companys signature based IDS didn't complain, but company's statistical IDS alerted to an FTP server which wasn't of much concern to the company since they knew that this IP was used by that laptop. Our Snort based appliance however picked up on the fact that there was a) an abnormal, rogue FTP present, and b) that that laptop was receiving parts of a Harry Potter movie in AVI form :) indicating an unsecure system (which our test confirmed).
So, Snort is not just a signature and anomaly based IDS, it is also a behavioral IDS.
Regards,
Frank
- application/pgp-signature attachment: This is a digitally signed message part
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:10 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |