Re: Recomended Anomaly Detection Software

• Previous message: Chris Brown: "Re: Intrushield"
• Maybe in reply to: Lee: "Recomended Anomaly Detection Software"
• Next in thread: Jaime Fournier: "Re: Recomended Anomaly Detection Software"
• Reply: Jaime Fournier: "Re: Recomended Anomaly Detection Software"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: linuxtwidler@gmail.com, focus-ids@securityfocus.com
Date: Sun, 23 Jan 2005 17:01:08 -0500

>
> Greetings,

Hello

> I would like to know if there is someone that would recommend a piece of
> software that does a good job at anomaly detection?
>
> In particular, I have a tcpdump file of SMTP traffic, which I would like
> to pass analyse.
>

This is a pretty broad request. I may assume that you are looking for
anomalous SMTP data packets, but then again, I might just as likely assume
you are looking for anomalous connection patterns. Either way, I don't know
of any "off the shelf" dedicated anomaly detector. Assuming you are looking
for the protocol type, Snort may be your best bet, and it should have no
problems with taking that TCPDump file as input.

There are also commercial IDS that do protocol anomaly detection, which you
might already know. Symantec Network Security (aka Manhunt) is one that I
have used for a few years, and there are others.

If you are looking for something to detect anomalies in the connection
patterns, you may want to look at NFDump and the NFSEN project. I am not
sure how far along that effort is, but it may be promising. Again, there
are commercial products like Mazu Profiler and Arbor Peakflow, but I don't
think their cost would be justified by simply wanting to do a one time
analysis.

HTH,
-Ds

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

• Previous message: Chris Brown: "Re: Intrushield"
• Maybe in reply to: Lee: "Recomended Anomaly Detection Software"
• Next in thread: Jaime Fournier: "Re: Recomended Anomaly Detection Software"
• Reply: Jaime Fournier: "Re: Recomended Anomaly Detection Software"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Protocol Anomaly Detection IDS ... I am trying to supplement our existing signature based IDS (Snort, ... enterprise network. ... I hear the anomaly detection buzzword thrown around a lot these days, ... NFR Network Intrusion Detection System ... (Focus-IDS) Re: Specification-based Anomaly Detection ... discovered by anomaly detection systems of any stripe. ... Replacing signature IDS is not one of those things. ... Thomas H. Ptacek // Product Manager, Arbor Networks ... Find out quickly and easily by testing it with real-world attacks from ... (Focus-IDS) Re: Bayesian IDS...help ... It builds a bayesian network of 4 nodes dinamically, considering the entropy of edges, using historical data. ... I wouldn't forget the Snort IDS, ... Spamassasin uses bayasian for anomaly detection in mail. ... (Focus-IDS) Re: Bayesian IDS...help ... It builds a bayesian network of 4 nodes dinamically, considering the entropy of edges, using historical data. ... I wouldn't forget the Snort IDS, ... Spamassasin uses bayasian for anomaly detection in mail. ... (Focus-IDS) RE: Specification-based Anomaly Detection ... I agree that anomaly detection is a new-comer to IDS, ... the main disadvantage of signatures is zero day ... the significance of zero day attacks is way ... (Focus-IDS)