Greetings,
Hello
I would like to know if there is someone that would recommend a piece of
software that does a good job at anomaly detection?
In particular, I have a tcpdump file of SMTP traffic, which I would like
to pass analyse.
This is a pretty broad request. I may assume that you are looking for
anomalous SMTP data packets, but then again, I might just as likely assume
you are looking for anomalous connection patterns. Either way, I don't know
of any "off the shelf" dedicated anomaly detector. Assuming you are looking
for the protocol type, Snort may be your best bet, and it should have no
problems with taking that TCPDump file as input.
There are also commercial IDS that do protocol anomaly detection, which you
might already know. Symantec Network Security (aka Manhunt) is one that I
have used for a few years, and there are others.
If you are looking for something to detect anomalies in the connection
patterns, you may want to look at NFDump and the NFSEN project. I am not
sure how far along that effort is, but it may be promising. Again, there
are commercial products like Mazu Profiler and Arbor Peakflow, but I don't
think their cost would be justified by simply wanting to do a one time
analysis.
HTH,
-Ds
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
