Re: Protocol Anomaly Detection IDS

From: Yaakov Yehudi (yehudi@tehila.gov.il)
Date: 02/11/03

  • Next message: Rob Shein: "RE: Active response... some thoughts."
    Date: Tue, 11 Feb 2003 10:12:59 +0200
    To: slyph@alum.mit.edu
    From: Yaakov Yehudi <yehudi@tehila.gov.il>
    
    

    I think you would be wise to evaluate ForeScout's ActiveScout. I have been
    using ActiveScout for well over a year. Especially since the last version
    of the software, I have become quite impressed. Some of the bells and
    whistles are very useful too.

    Also you'll find that the guys at ForeScout are very interested in customer
    feedback, and are frequently able to incorporate improvements when the next
    version is
    released.

    I definitely suggest that you should request an evaluation version of the
    software. And no, I am not associated with ForeScout in any way other that
    as a user of the ActiveScout software.

    Best Regards, Yaakov

    At Wednesday 05/02/2003 06:07, Michael L. Artz wrote:
    >Date: Tue, 04 Feb 2003 23:07:02 -0500
    >From: "Michael L. Artz" <dragon@october29.net>
    >Subject: Protocol Anomaly Detection IDS
    >To: focus-ids@securityfocus.com
    >Reply-To: slyph@alum.mit.edu
    >Message-id: <3E408DE6.3050404@october29.net>
    >MIME-version: 1.0
    >Content-type: text/plain; charset=us-ascii; format=flowed
    >Content-transfer-encoding: 7BIT
    >X-Accept-Language: en-us, en
    >User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030101
    >X-Enigmail-Version: 0.71.0.0
    >X-Enigmail-Supports: pgp-inline, pgp-mime
    >
    >I am trying to supplement our existing signature based IDS (Snort, gotta
    >love open source) with a protocol anomaly based one in a fairly large
    >enterprise network. I am in the fairly early stages of research, so I
    >guess that the first question would be, is it worth it?
    >
    >I hear the anomaly detection buzzword thrown around a lot these days, and
    >can't quite get past all the marketing hype. From what I can tell,
    >protocol anomaly detection seems to be the more promising than the
    >statistical for detecting new or IDS-cloaked attacks. However the notion
    >of "conforming to RFCs" leaves a lot of leeway for the vendors to play
    >with. How well do these types of systems actually work?
    >
    >Does anyone have any recommendations as to which systems to look into/stay
    >away from? Below is a list of some of the ones that looked like they
    >might support protocol anomaly detection from their marketing hype, let me
    >know if I left any out/incorrectly added any: