IDS mailing list archives
Re: Protocol Anomaly Detection IDS
From: Jordan K Wiens <jwiens () nersp nerdc ufl edu>
Date: Thu, 6 Feb 2003 13:23:06 -0500 (EST)
Moderator: The demo was 7 months ago, so I don't have the details handy on the exact version information, but it was pre-symantec ManHunt. I've only demoed Manhunt among the PAD heavy IDS, and it appeared pretty useless in our network. Unfortunately, vast quantities of network traffic is not RFC compliant, so we were receiving hundreds of false-positives every few seconds that were indistinguishable from events actually worth looking at. Lots of events like HTTP-PROT-VIOLATION or whatever they were called doesn't exactly help. Maybe there's some way to tweak it, just as any signature and statistical based IDS usually requires an initial investment in tweaking, but I tend to doubt it. Signature based IDS will generate lots and lots of different events, and worthwhile ones can get lost in the crowd, but the PAD as I saw it generated many events of only a few different types, I just don't see how useful info could be pulled out, though I hope someone else on the list has better experiences. I hope someone else had a better experience because Manhunt has so many excellent features that even if its signature detection was more robust, we considered getting it and just turning the PAD off. -- jordan On Tue, 4 Feb 2003, Michael L. Artz wrote:
I am trying to supplement our existing signature based IDS (Snort, gotta love open source) with a protocol anomaly based one in a fairly large enterprise network. I am in the fairly early stages of research, so I guess that the first question would be, is it worth it?
Current thread:
- Protocol Anomaly Detection IDS Michael L. Artz (Feb 05)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 11)
- Re: Protocol Anomaly Detection IDS Frank Knobbe (Feb 11)
- RE: Protocol Anomaly Detection IDS Sonit Jain (Feb 12)
- Re: Protocol Anomaly Detection IDS Frank Knobbe (Feb 11)
- Re: Protocol Anomaly Detection IDS Yaakov Yehudi (Feb 11)
- <Possible follow-ups>
- RE: Protocol Anomaly Detection IDS Graham, Robert (ISS Atlanta) (Feb 06)
- RE: Protocol Anomaly Detection IDS Adam Powers (Feb 06)
- Re: Protocol Anomaly Detection IDS Jordan K Wiens (Feb 06)
- RE: Protocol Anomaly Detection IDS Andrew Plato (Feb 10)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 18)
- Re: Protocol Anomaly Detection IDS Robert Graham (Feb 20)
- Re: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 20)
- Re: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 20)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 20)
- Re: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 21)
- Re: Protocol Anomaly Detection IDS - Honeypots Gene Yoo (Feb 25)
- Re: Protocol Anomaly Detection IDS Robert Graham (Feb 20)
- Message not available
- Re: Protocol Anomaly Detection IDS - Honeypots Bob Radvanovsky (Feb 20)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 11)