[fw-wiz] NBS

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 09/03/04

  • Next message: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 03 Sep 2004 13:47:56 -0400

    I've just released code for a doo-dad I've been playing with for a while
    called NBS. That stands for "Never Before Seen" Anomaly Detector.
    Basically, the idea is, if you've never seen something before, it must
    be an anomaly. :) Duh! It's just a fast database that keeps tracks of
    strings and their occurrence. It lets you get notice when it finds
    something it's never before seen (hence the name) and you can also
    dump things with various sorts and orders.

    This tool can be incredibly useful - or not - depending on what you
    do with it. For example, dumping DHCP {server, client, mac} combos
    into an NBS database can be quite interesting. If you have a web
    server that doesn't dynamically create URLs it might be extremely
    useful for detecting new worms, etc. It's designed to be lightweight
    and fast enough that you wouldn't have a problem with keeping
    short-term and long-term databases of the same things if you
    wanted to (most frequent URLs today anyone?) Anyhow, there's a
    lot of potential applications for it and I've even actually written some
    documentation on how it works. :)
    follow the link for NBS. Building it is not too hard; you need to
    BSD-DB library from sleepycat software and some basic
    knowledge of how to build C code under UNIX.

    As always, I welcome suggestions, bug-fixes, etc.


    Note for those who care: this is free software and is downloadable
    source. It's not "Open Source"(tm); it is for non-commercial use
    only (that means you can use it but you can't sell it) 
    firewall-wizards mailing list

  • Next message: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]"