Well Thomas, given the fact that we¹re Arbor's largest competitor and
greatest threat, you seem to know very little about how the StealthWatch
technology works or of what it¹s capable.
StealthWatch certainly does provide aspects of both statistical and
rate-based anomaly detection. These techniques typically require several
³flows² to form a pattern which ultimately lead to an alarm or alert. The
pattern forming process could take anywhere from 1 second to 24 hours
depending on the type and volume of attack traffic. But it doesn¹t stop
there...
StealthWatch also provides a myriad of other ³single flow² alarms that work
in combination with ³multi-flow² alarms (flows being either NetFlow-based or
from a SPAN/mirror port). An example is the ³Trap Host² alarm. StealthWatch
keeps a database of all hosts that are active on a given internal segment.
If it sees another internal host attempt to communicate with a host that
does not exist, an alert (or alarm) is raised instantly. All that¹s needed
is a single packet or NetFlow record. The operator can adjust the
sensitivity of this alarm by specifying how many ³trap hosts² are allowed to
be hit in a single day before an actual alarm is raised.
Other examples include the StealthWatch OS fingerprinting alarms. Since OS
fingerprinting is based on the first TCP SYN, only a single packet is needed
to raise an alarm or alert. StealthWatch offers the capability to alarm on
such OS anomalies as multiple OSs, unknown OSs, NATed addresses, etc.
Yet another example includes the such policy driven alarms as ³Out of
Profile², ³Zone Violation², ³Watch Host/Port², and the ³Mac Address
Violation².
So ³atomic² attack detection is absolutely possible with StealthWatch. Sure,
sign-based systems are better suited for alarm driven packet capture, but
you can rest assured that *some* anomaly detection systems offer this
capability as well.
As a side note, starting with StealthWatch 4.5 (May 2005) the first 128
bytes of payload in each direction of each flow will be captured and saved
to disk for later retrieval and analysis (31 days by default, can be
extended indefinitely).
--
Adam Powers
Senior Security Engineer
Advanced Technology Group
o. 770.225.6521
e. apowers@lancope.com
On 1/5/05 10:24 AM, "Thomas Ptacek" <tqbf@arbor.net> wrote:
A system like Lancope's (statistical anomalies) doesn't generate alerts
based on individual packets or even individual connections. It's
detecting rate shifts based on time. This is detection based on context
(useful for some things, don't get me wrong). What's the likelihood
that the forensic information you're actually looking for is contained
in the 15kB of data associated with the connection that happened to
trip a threshold?
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
