Re: [Snort-users] RE: Network Behaviour Anomoly Detection

From: Martin Roesch (roesch_at_sourcefire.com)
Date: 06/24/04

  • Next message: Drew Copley: "RE: Anomaly Based Network IDS" 
    Date: Thu, 24 Jun 2004 15:25:10 -0400
To: Michael Cunningham <crayola@optonline.net>

    Hi Mike,

    > Anyone interested in starting up an opensource project to build
    > something
    > like this?

    FYI, Snort's stream4 module (and the new spp_flow) module is capable of
    logging the stats you mention for any flow that is observed,
    specifically start/stop time, src/dst IPs and ports, number of packets
    and number of bytes transferred, as well as IDS event stats and any
    other flags you care to hang off of them. For example, along with the
    flow record you could record the number of IDS events that fired for a
    given flow as well as any anomalies that were detected on that flow
    (e.g. fragmentation/tcp protocol anomalies, etc).

    Snort's got 50% of what you want already, you could implement the
    anomaly detection as a preprocessor if you were so inclined... 

    -- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch@sourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Drew Copley: "RE: Anomaly Based Network IDS"