[Snort-users] Some thoughts on IDS types - request for clarification :)

Emre Bastuz info at ...9966...
Thu Feb 12 01:42:12 EST 2004


I´ve been Googling around for some details on using snort and what tools
are available and would be best suited for my particular environment.
Im just wondering if I got everything right or if there are major
misunderstandings. Maybe some of you guys could comment on the following:

There are basically three approaches on using Snort ...

1. Signature based IDS
   -> Snort is being used as a means of detecting known attacks. The gathered
      data can be used for statistical analysis, tracking down the reason
      for a problem in a network or for forensics after a successfull attack

2. Behavioural IDS
   -> For different types of hosts signatures need to be created to trigger an
      alarm when non regular traffic occurs. For webservers this might be
      connections to port 80, SSH for administration etc.. Seeing FTP or
      telnet is supposed to alert as this is not the 'normal' behaviour
      of this server type/host.

      Do I get it right that this 'behaviour' has to be modelled in the rules?
      Are there any approaches for automating this with a learning proccess?

3. Anomaly Detection/Statistics based IDS
   -> Setting thresholds for certain protocoll details enables to trigger alarms
      whenever the thresholds are exceeded. Anomalies might be '55 percent of
      the traffic is being consumed by connections to the dns server, whereas it
      is supposed to be only 20 percent' or 'FTP traffic from host A to the
      world is 20 Gig, whereas it was only 5 Gig in average during the last
      n months.

      It seems that the only statistical analyzer available for Snort is
      Spade from  Silicon Defense. It looks like it´s not being
      maintained anymore so I´m wondering if there are any alternatives
      out there?
      Did any of you guys get Spade running with Snort 2.1.1RC?

Did I get the definitions right?

Seems there are quite some misleeding marketing buzzwords and ambiguities out
there - hope I did not fall for them :)



http://www.emre.de                        UIN: 561260

I don't see why some people even HAVE cars. -- Calvin

This message was sent using IMP, the Internet Messaging Program.

More information about the Snort-users mailing list