IDS mailing list archives
Re: Protocol Anomaly Detection IDS
From: Yaakov Yehudi <yehudi () tehila gov il>
Date: Tue, 11 Feb 2003 10:12:59 +0200
I think you would be wise to evaluate ForeScout's ActiveScout. I have been using ActiveScout for well over a year. Especially since the last version of the software, I have become quite impressed. Some of the bells and whistles are very useful too.
Also you'll find that the guys at ForeScout are very interested in customer feedback, and are frequently able to incorporate improvements when the next version is
released.I definitely suggest that you should request an evaluation version of the software. And no, I am not associated with ForeScout in any way other that as a user of the ActiveScout software.
Best Regards, Yaakov At Wednesday 05/02/2003 06:07, Michael L. Artz wrote:
Date: Tue, 04 Feb 2003 23:07:02 -0500 From: "Michael L. Artz" <dragon () october29 net> Subject: Protocol Anomaly Detection IDS To: focus-ids () securityfocus com Reply-To: slyph () alum mit edu Message-id: <3E408DE6.3050404 () october29 net> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT X-Accept-Language: en-us, en User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030101 X-Enigmail-Version: 0.71.0.0 X-Enigmail-Supports: pgp-inline, pgp-mimeI am trying to supplement our existing signature based IDS (Snort, gotta love open source) with a protocol anomaly based one in a fairly large enterprise network. I am in the fairly early stages of research, so I guess that the first question would be, is it worth it?I hear the anomaly detection buzzword thrown around a lot these days, and can't quite get past all the marketing hype. From what I can tell, protocol anomaly detection seems to be the more promising than the statistical for detecting new or IDS-cloaked attacks. However the notion of "conforming to RFCs" leaves a lot of leeway for the vendors to play with. How well do these types of systems actually work?Does anyone have any recommendations as to which systems to look into/stay away from? Below is a list of some of the ones that looked like they might support protocol anomaly detection from their marketing hype, let me know if I left any out/incorrectly added any:
Current thread:
- Protocol Anomaly Detection IDS Michael L. Artz (Feb 05)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 11)
- Re: Protocol Anomaly Detection IDS Frank Knobbe (Feb 11)
- RE: Protocol Anomaly Detection IDS Sonit Jain (Feb 12)
- Re: Protocol Anomaly Detection IDS Frank Knobbe (Feb 11)
- Re: Protocol Anomaly Detection IDS Yaakov Yehudi (Feb 11)
- <Possible follow-ups>
- RE: Protocol Anomaly Detection IDS Graham, Robert (ISS Atlanta) (Feb 06)
- RE: Protocol Anomaly Detection IDS Adam Powers (Feb 06)
- Re: Protocol Anomaly Detection IDS Jordan K Wiens (Feb 06)
- RE: Protocol Anomaly Detection IDS Andrew Plato (Feb 10)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 18)
- Re: Protocol Anomaly Detection IDS Robert Graham (Feb 20)
- Re: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 20)
- Re: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 20)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 20)
- Re: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 21)
- Re: Protocol Anomaly Detection IDS Robert Graham (Feb 20)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 11)