Re: Protocol Anomaly Detection IDS

From: Martin Roesch (
Date: 02/11/03

  • Next message: planz: "Re: WLAN IDS"
    Date: Mon, 10 Feb 2003 21:04:52 -0500
    From: Martin Roesch <>

    Hash: SHA1

    Just as an FYI, Snort can do protocol anomaly detection, through it's
    rules-based engine, it's decoder and in its preprocessors. Protocol
    anomalies mean different things to different people, of course, so it
    depends on what you're really looking for.

    People commonly think of Snort as a "signature based" IDS only, it's
    actually capable of a lot more than that...


    On Tuesday, February 4, 2003, at 11:07 PM, Michael L. Artz wrote:

    > I am trying to supplement our existing signature based IDS (Snort,
    > gotta love open source) with a protocol anomaly based one in a fairly
    > large enterprise network. I am in the fairly early stages of
    > research, so I guess that the first question would be, is it worth it?
    > I hear the anomaly detection buzzword thrown around a lot these days,
    > and can't quite get past all the marketing hype. From what I can
    > tell, protocol anomaly detection seems to be the more promising than
    > the statistical for detecting new or IDS-cloaked attacks. However the
    > notion of "conforming to RFCs" leaves a lot of leeway for the vendors
    > to play with. How well do these types of systems actually work?
    > Does anyone have any recommendations as to which systems to look
    > into/stay away from? Below is a list of some of the ones that looked
    > like they might support protocol anomaly detection from their
    > marketing hype, let me know if I left any out/incorrectly added any:
    > Lancope Stealthwatch
    > Tipping Point/UnityOne
    > ISS RealSecure Guard
    > Cisco IDS 4250
    > CA/eTrust IDS
    > Intruvert Intrushield
    > NFR Network Intrusion Detection System
    > Netscreen/Onesecure IDP
    > Symantec ManHunt
    > Any clues or headstarts to get me pointed in the right direction would
    > be great.
    > Thanks
    > -Mike
    - --
    Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
    Sourcefire: Enterprise-class Intrusion detection built on Snort -
    Snort: Open Source Network IDS -

    Version: GnuPG v1.2.1 (Darwin)

    -----END PGP SIGNATURE-----

    Relevant Pages

    • Re: Protocol Anomaly Detection IDS
      ... understand how Snort works. ... > Subject: Re: Protocol Anomaly Detection IDS ... Enterprise-class Intrusion detection built on Snort ...
    • RE: Protocol Anomaly Detection IDS
      ... Subject: Protocol Anomaly Detection IDS ... > Just as an FYI, Snort can do protocol anomaly detection, through it's ... left the laptop hooked up overnight. ...
    • Re: New to Snort !!!
      ... There's really two schools of thought on where to place an IDS, ... are coming through your edge and into your "trusted" network, ... Snort 2.0 Intrusion Detection or Snort 2.1 Intrusion detection Second ...