Snort mailing list archives
Re: Traffic anomaly detection
From: Erek Adams <erek () snort org>
Date: Wed, 12 Feb 2003 08:22:51 -0500 (EST)
On Wed, 12 Feb 2003, Joerg Weber wrote:
we are currently using snort with quite some success (and fun, I might add). Now, I'm looking at SPADE and have no trouble finding traffic using unused IP address or dead ports, etc. What I'm trying to implement is the detection of 'unusual' traffic, generated by an unknown worm, a warez server, etc. I assume this is possible with SPADE, could someone confirm this? If so, could someone share a config file and maybe some alert entry so I can parse my logs/db for similar entries?
Have a read over an excellent post [0] by Frank Knobbe to the focus-ids list. To sum his post up, you don't need anything more than basic rules. I'd suggest running something like ntop [1] or Sniffer Pro (commercial) to get a visual idea of who's on your net, what they are doing, and what "looks" normal. Once you've got that picture, tune your rulesets down to what is "good" for you. Then, since you know your websever should only accept requests on port 80 and 22, and it should never initiate any outgoing requests execpt for DNS you can write rules that flag any traffic other than that. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://marc.theaimsgroup.com/?l=focus-ids&m=104499996305316&w=2 [1] http://www.ntop.org/ntop.html ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Traffic anomaly detection Joerg Weber (Feb 12)
- Re: Traffic anomaly detection Erek Adams (Feb 12)
- Re: Traffic anomaly detection Frank Knobbe (Feb 12)
- Re: Traffic anomaly detection James Hoagland (Feb 12)
- <Possible follow-ups>
- RE: Traffic anomaly detection Bob McDowell (Feb 12)
- RE: Traffic anomaly detection Williams Jon (Feb 13)
- RE: Traffic anomaly detection Erek Adams (Feb 13)
- Re: Traffic anomaly detection Erek Adams (Feb 12)