RE: Symantec Manhunt

From: Fergus Brooks (
Date: 11/28/03

  • Next message: "Re: RE: Cisco CTR"
    To: "'Johann van Duyn'" <>, "'Duston Sickler'" <>
    Date: Fri, 28 Nov 2003 15:26:12 +0800

    Everything Johann said and more:

    We implemented Manhunt 2.2 running Solaris 8 x86 for a bank about 9
    months ago. The key things they wanted were to not have to mess about
    too much with Solaris and a reliable solution. We didn't want to spend
    too much time in support.

    That is what they/we have got. I spent a few hours with them showing
    them how to apply filters and some other stuff. I went in there a few
    months ago to show them how to do some maintenance and they had already
    filtered all their irrelevant traffic and had their one sensor (DMZ)
    only telling them what they wanted to hear.

    They are so happy with it that we have started discussing a bigger box
    running v.3 and sto monitor their entire network using 8 100meg sensor
    interfaces (it can take 12 per node - 128 nodes in a cluster) with some
    network roaming through auto-manipulation of their Cisco gear.

    It is a great NIDS and is scaleable, easy to set up and (I think) most
    importantly easy to tune and keep tuned. Test data that I have seen
    shows that it really can go to 2gbps monitored traffic per node and

    One thing to be careful about - if you are planning to use the MSAs'
    (smart agents for obtaining and correlating other product's events -
    there are ones for ISS, Netscreen, Snort, Dragon etc...) then ensure
    that the MSA supports your exact version of software. We have been burnt
    a few times telling clients that it will take alerts from, say, FW-1 via
    OPSEC only to find that it is not the right version of FW-1.

    Also take very good heed of the hardware configuration guide - I highly
    advise using something on the supported list even if it is not as fast
    and flashy as currently possible.

    Hope this helps your decision - all the best - rgds...

    -----Original Message-----
    From: Johann van Duyn []
    Sent: Thursday, 27 November 2003 2:05 AM
    To: Duston Sickler
    Cc:; David Sayers -- Home
    Subject: Re: Symantec Manhunt

    Using it. Loving it.

    Nuff sed?

    I have it set up in conjunction with a few Network Critical taps
    (meaning that every interface sees only one half of the conversation),
    which means that the software's ability to cross-correlate is key to
    making any sense of the traffic it sees, and it does that bit really

    It also correlates events into incidents (giving you a shorter list of
    cr-p to sift through when chasing an incident) very well, although
    sometimes the correlation logic escapes me a bit. Depending on how much
    coffee I have had in the morning, this is not always difficult,
    though... Its ability to correlate events and incidents across multiple
    ManHunt nodes is impressive.

    A MAJOR PLUS is that you can define tons of monitoring interfaces on
    each ManHunt box and set them to sniff lots of different segments, and
    your license (MH is licensed according to the actual sniffed bandwidth
    it will see, NOT per interface) is then aggregated across all the
    interfaces. This is much cheaper than having to deploy, e.g., 8 separate
    sensors of most other products.

    We use Nortel switches, so we cannot make use of MH's ability to
    "browse" switches (by spanning switch ports over to its monitoring
    interfaces one by one) when it is not otherwise occupied, but its
    insight into our Cisco routers is very good, even though Networking sees
    it as cheeky that an IDS makes QoS suggestions.

    The signatures work very well, and Symantec have been quite quick in
    releasing signatures to complement the anomaly detection capabilities of
    the product. Both facets of the anomaly detection (protocol anomaly,
    which works out of the box, and traffic anomaly, which takes a while to
    settle into the environment and then complains about traffic pattern
    changes) also work very well in my environment.

    One thing I don't like is that it does not currently come out of the box
    with the ability to blacklist IPs on firewalls, and if you want to do
    that, you need to get the application that reconfigures the firewall and
    put it on the ManHunt box, calling it whenever you would want to
    blacklist an IP. This may not be something that you would use all the
    time, but in times of large breakouts it could come in handy. It
    integrates into SESA (Symantec Enterprise Security Architecture) now and
    one should be able to make SESA create blacklists on SGS or SEF
    firewalls (and maybe even FW-1 and PIX, with the necessary Event
    Managers for Firewalls) based on ManHunt outputs, but I have not played
    with that aspect of the product yet.

    Depending on how au fait you are with Linux/Solaris, and who will be
    supporting the IDS, you may want to push Symantec and ask them when it's
    going to be available as an appliance.

    Get a demo CD from Symantec and play with it... it's an insane product
    that achieves its goals in rather impressive style.

    YMMV, but I hope this helps...

    J o h a n n v a n D u y n, CISSP
    IT Risk and Security Manager: British American Tobacco South Africa
    Stellenbosch, South Africa Tel. +27 (21) 8883765 Cel. +27 (82) 3248035
    Fax. +27 (21) 8883587 eFax. +1 (509) 2785044
    "...damage amounts in computer-related crime are
     often based on numbers plucked from thin air."

                                                         -- Bruce Schneier

    Confidentiality Notice: The information in this document and attachments
    is confidential and may also be legally privileged. It is intended only
    for the use of the named recipient. Internet
    communications are not secure and therefore British American
    Tobacco does not accept legal responsibility for the contents of this
    message. If you are not the intended recipient,please notify us
    immediately and then delete this document. Do not disclose the contents
    of this document to any other person, nor take any copies. Violation of
    this notice may be unlawful.


    This message has been scanned by AVMail

  • Next message: "Re: RE: Cisco CTR"