[Snort-users] Some thoughts on IDS types - request for clarification :)
info at ...9966...
Thu Feb 12 01:42:12 EST 2004
I´ve been Googling around for some details on using snort and what tools
are available and would be best suited for my particular environment.
Im just wondering if I got everything right or if there are major
misunderstandings. Maybe some of you guys could comment on the following:
There are basically three approaches on using Snort ...
1. Signature based IDS
-> Snort is being used as a means of detecting known attacks. The gathered
data can be used for statistical analysis, tracking down the reason
for a problem in a network or for forensics after a successfull attack
2. Behavioural IDS
-> For different types of hosts signatures need to be created to trigger an
alarm when non regular traffic occurs. For webservers this might be
connections to port 80, SSH for administration etc.. Seeing FTP or
telnet is supposed to alert as this is not the 'normal' behaviour
of this server type/host.
Do I get it right that this 'behaviour' has to be modelled in the rules?
Are there any approaches for automating this with a learning proccess?
3. Anomaly Detection/Statistics based IDS
-> Setting thresholds for certain protocoll details enables to trigger alarms
whenever the thresholds are exceeded. Anomalies might be '55 percent of
the traffic is being consumed by connections to the dns server, whereas it
is supposed to be only 20 percent' or 'FTP traffic from host A to the
world is 20 Gig, whereas it was only 5 Gig in average during the last
It seems that the only statistical analyzer available for Snort is
Spade from Silicon Defense. It looks like it´s not being
maintained anymore so I´m wondering if there are any alternatives
Did any of you guys get Spade running with Snort 2.1.1RC?
Did I get the definitions right?
Seems there are quite some misleeding marketing buzzwords and ambiguities out
there - hope I did not fall for them :)
http://www.emre.de UIN: 561260
PGP Key ID: 0xAFAC77FD
I don't see why some people even HAVE cars. -- Calvin
This message was sent using IMP, the Internet Messaging Program.
More information about the Snort-users