Re: Symantec Manhunt

From: Johann van Duyn (
Date: 11/26/03

  • Next message: Gwendolynn ferch Elydyr: "RE: ISS RealSecure/SiteProtector or another IDS/firewall client?"
    To: "Duston Sickler" <>
    Date: Wed, 26 Nov 2003 20:05:14 +0200

    Using it. Loving it.

    Nuff sed?

    I have it set up in conjunction with a few Network Critical taps (meaning
    that every interface sees only one half of the conversation), which means
    that the software's ability to cross-correlate is key to making any sense
    of the traffic it sees, and it does that bit really well.

    It also correlates events into incidents (giving you a shorter list of
    cr-p to sift through when chasing an incident) very well, although
    sometimes the correlation logic escapes me a bit. Depending on how much
    coffee I have had in the morning, this is not always difficult, though...
    Its ability to correlate events and incidents across multiple ManHunt
    nodes is impressive.

    A MAJOR PLUS is that you can define tons of monitoring interfaces on each
    ManHunt box and set them to sniff lots of different segments, and your
    license (MH is licensed according to the actual sniffed bandwidth it will
    see, NOT per interface) is then aggregated across all the interfaces. This
    is much cheaper than having to deploy, e.g., 8 separate sensors of most
    other products.

    We use Nortel switches, so we cannot make use of MH's ability to "browse"
    switches (by spanning switch ports over to its monitoring interfaces one
    by one) when it is not otherwise occupied, but its insight into our Cisco
    routers is very good, even though Networking sees it as cheeky that an IDS
    makes QoS suggestions.

    The signatures work very well, and Symantec have been quite quick in
    releasing signatures to complement the anomaly detection capabilities of
    the product. Both facets of the anomaly detection (protocol anomaly, which
    works out of the box, and traffic anomaly, which takes a while to settle
    into the environment and then complains about traffic pattern changes)
    also work very well in my environment.

    One thing I don't like is that it does not currently come out of the box
    with the ability to blacklist IPs on firewalls, and if you want to do
    that, you need to get the application that reconfigures the firewall and
    put it on the ManHunt box, calling it whenever you would want to blacklist
    an IP. This may not be something that you would use all the time, but in
    times of large breakouts it could come in handy. It integrates into SESA
    (Symantec Enterprise Security Architecture) now and one should be able to
    make SESA create blacklists on SGS or SEF firewalls (and maybe even FW-1
    and PIX, with the necessary Event Managers for Firewalls) based on ManHunt
    outputs, but I have not played with that aspect of the product yet.

    Depending on how au fait you are with Linux/Solaris, and who will be
    supporting the IDS, you may want to push Symantec and ask them when it's
    going to be available as an appliance.

    Get a demo CD from Symantec and play with it... it's an insane product
    that achieves its goals in rather impressive style.

    YMMV, but I hope this helps...

    J o h a n n v a n D u y n, CISSP
    IT Risk and Security Manager: British American Tobacco South Africa
    Stellenbosch, South Africa
    Tel. +27 (21) 8883765
    Cel. +27 (82) 3248035
    Fax. +27 (21) 8883587
    eFax. +1 (509) 2785044
    "...damage amounts in computer-related crime are
     often based on numbers plucked from thin air."

                                                         -- Bruce

    Confidentiality Notice: The information in this document and
    attachments is confidential and may also be legally privileged.
    It is intended only for the use of the named recipient. Internet
    communications are not secure and therefore British American
    Tobacco does not accept legal responsibility for the contents of
    this message. If you are not the intended recipient,please notify us
    immediately and then delete this document. Do not disclose the
    contents of this document to any other person, nor take any copies.
    Violation of this notice may be unlawful.


  • Next message: Gwendolynn ferch Elydyr: "RE: ISS RealSecure/SiteProtector or another IDS/firewall client?"

    Relevant Pages

    • RE: Symantec Manhunt
      ... Subject: Symantec Manhunt ... ManHunt nodes is impressive. ... A MAJOR PLUS is that you can define tons of monitoring interfaces on ... firewalls (and maybe even FW-1 and PIX, ...
    • RE: Symantec Manhunt
      ... Manager (another Symantec product). ... PAD (Protocol Anomaly Detection) is excellent ... Subject: Symantec Manhunt ... A MAJOR PLUS is that you can define tons of monitoring interfaces on ...
    • Re: Establish persistant outbound connection for covert application
      ... which firewalls are running etc.) and then communicate its ... the actual network layer. ... They do have 2 network interfaces in case I want to chain them between a PC ... They also have a wireless interface so I can hook into the machine if I am ...
    • Problem downloading JAR files after PIX 7.0(1) upgrade
      ... I have run a capture on both interfaces on the firewalls and the weird ... on behalf of the client, sending ACKS in response to Pushed data. ...
    • Re: /etc/rc.firewall fixes
      ... I'm in the process of hacking on my rc.firewall because I'm building ... new firewalls, so I'm interested in any ideas people have. ... and organise my rule numbering. ... interfaces to the physical interfaces ...