Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Recomended Anomaly Detection Software

from [Jaime Fournier] Network Security [Permanent Link]
Subject: Re: Recomended Anomaly Detection Software
Date: Mon, 24 Jan 2005 15:18:58 -0600 (CST)
You might want to try Ethereal for the actual payload and format validation.
Something like Spade could be used to determine odd activity as well but is based more on statistics for finding "non normal activity" than actually packet analysis.

On Sun, 23 Jan 2005, Drew Simonis wrote:


Greetings, 

Hello

I would like to know if there is someone that would recommend a piece of
software that does a good job at anomaly detection?

In particular, I have a tcpdump file of SMTP traffic, which I would like
to pass analyse.


This is a pretty broad request.  I may assume that you are looking for
anomalous SMTP data packets, but then again, I might just as likely assume
you are looking for anomalous connection patterns.  Either way, I don't know
of any "off the shelf" dedicated anomaly detector.  Assuming you are looking
for the protocol type, Snort may be your best bet, and it should have no
problems with taking that TCPDump file as input.

There are also commercial IDS that do protocol anomaly detection, which you
might already know.  Symantec Network Security (aka Manhunt) is one that I
have used for a few years, and there are others.

If you are looking for something to detect anomalies in the connection
patterns, you may want to look at NFDump and the NFSEN project.  I am not
sure how far along that effort is, but it may be promising.  Again, there
are commercial products like Mazu Profiler and Arbor Peakflow, but I don't
think their cost would be justified by simply wanting to do a one time
analysis.

HTH,
-Ds

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Specification-based Anomaly Detection, Adam Powers
Next by Date:  Re: Specification-based Anomaly Detection, Dragos Ruiu
Previous by Thread:  Re: Recomended Anomaly Detection Software, Drew Simonis
Next by Thread:  Agregation Traffic Model, Alexandre Soares
Indexes:  [Date] [Thread] [Top] [All Lists]