I run the Enterasys Dragon NBAD in conjunction with Sig Based IDS. The magic comes from the SIM. I have a Dragon Security Command Console. It correlates Sig Based IDS with the NBAD sentries.
This setup allows me to correlate vulnerability information, IDS events, anomalies and syslog/event logs. I can also run reports on traffic statistics. NBAD is alot of work. I think of NBAD as reverse signature based. You dont use signature, but you do create a global signature pre se of you entire netowrk. You authorize what you know to be legit documented traffic and services. Then NBAD tells what doesn't match you baseline. I don't want to know how people ar edoing it with out this type of technology. Wasting alot of time i guess. On 1/9/08, Libershal, David M. <[EMAIL PROTECTED]> wrote: > We have been using signature-based systems but now feel the need for > some additional security protection that might be provided via an > anomaly-based IDS system (zero day exploits, etc). > > I'm not experienced with anomaly-based systems and know only what I've > seen on the web, or sevral years ago at some trade shows. Some seem to > be focused more on network operation but also have the IDS component. At > least for right now, I've been asked to look at security systems. > > Any good ideas, suggestions, or horror stories about anomaly-based > systems that may be a help would be appreciated. Up til now I've only > been saving signature related emails from this list. > > Thanks, > Dave > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of GMail > Sent: Wednesday, January 09, 2008 2:59 AM > To: [email protected] > Subject: signature based IDS/IPS effectiveness > > focus-ids, > > How effective are signature based IDS/IPS systems on text based > protocols which involves grammar like PL/SQL. Using PL/SQL I can write > same query with different ways and different constructs that leads to > different query patterns. So does not that mean stateless signature > based IDS/IPS are useless for database servers, etc. > > Best Regards, > Mayur > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world attacks from > CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig > n=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > -- -p1g SnortCP ,,__ o" )~ oink oink ' ' ' ' If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity czar Richard Clarke ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
