Re: Traffic anomaly detection

[Erek Adams <erek () snort org>]

On Wed, 12 Feb 2003, Joerg Weber wrote:

> we are currently using snort with quite some success (and fun, I might
> add). Now, I'm looking at SPADE and have no trouble finding traffic
> using unused IP address or dead ports, etc.
> What I'm trying to implement is the detection of 'unusual' traffic,
> generated by an unknown worm, a warez server, etc.
> I assume this is possible with SPADE, could someone confirm this?
> If so, could someone share a config file and maybe some alert entry so I
> can parse my logs/db for similar entries?

Have a read over an excellent post [0] by Frank Knobbe to the focus-ids
list.

To sum his post up, you don't need anything more than basic rules.  I'd
suggest running something like ntop [1] or Sniffer Pro (commercial) to get
a visual idea of who's on your net, what they are doing, and what "looks"
normal.  Once you've got that picture, tune your rulesets down to what is
"good" for you.  Then, since you know your websever should only accept
requests on port 80 and 22, and it should never initiate any outgoing
requests execpt for DNS you can write rules that flag any traffic other
than that.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://marc.theaimsgroup.com/?l=focus-ids&m=104499996305316&w=2
[1]     http://www.ntop.org/ntop.html


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users