looking for IDS"s based on network behavior analysis

Hello all!



I'm doing a comparative study amongst IDS's that works with Network
Behavior Analysis (NBA) also known as Traffic Anomaly Based and I
would like to know if any of you guys suggest some tools for my work,
or a list, preferentially.

The desirable qualities are:



- not commercial (at least with an evaluation period)

- can work in off line mode with trace repositories (not necessarily)



If anybody wants to change some information plz contact me, I can also
show what I've got until now...



Thanks a lot!



Gustavo

Re: looking for IDS"s based on network behavior analysis

On Oct 24, 8:44 am, Gustavo wrote:
> Hello all!
>
> I'm doing a comparative study amongst IDS's that works with Network
> Behavior Analysis (NBA) also known as Traffic Anomaly Based and I
> would like to know if any of you guys suggest some tools for my work,
> or a list, preferentially.
>
> The desirable qualities are:
>
> - not commercial (at least with an evaluation period)
>
> - can work in off line mode with trace repositories (not necessarily)
>
> If anybody wants to change some information plz contact me, I can also
> show what I've got until now...
>
> Thanks a lot!
>
> Gustavo


Check this new software-only NBA system: http://www.akmalabs.com

Al

Re: looking for IDS"s based on network behavior analysis

Gustavo wrote:

> Hello all!
>
>
>
> I'm doing a comparative study amongst IDS's that works with Network
> Behavior Analysis (NBA) also known as Traffic Anomaly Based and I
> would like to know if any of you guys suggest some tools for my work,
> or a list, preferentially.


I'd recommend you to do a comparative study for running or not running such
an IDS at all. For most companies the practical trial has shown that running
such an IDS requires a lot of effort, at least two full-time hired
professionals and achieving very little security.

Better wait 10 years until the log analysis have improved to a sufficient
level of intelligence on automation.

Re: looking for IDS"s based on network behavior analysis

Consider an IPS (Intrusion Prevention System). Some are IDSs with some
expanded functionality and others are ground up built to go in-line.
Check latency and throughput along with attack coverage and timeliness.

IDSs are OK if as noted below you have lots of time OR have a specific
need for forensics analysis (but at the cost of actually stopping anything).

Some IPSs have integrations with NBAD vendors such as Mazu or Lancope.
NBAD is good for the "low and slow" attacks and IPS for standard network
security.

Good Luck.

-BG

Sebastian G. wrote:
> Gustavo wrote:
>
>> Hello all!
>>
>>
>>
>> I'm doing a comparative study amongst IDS's that works with Network
>> Behavior Analysis (NBA) also known as Traffic Anomaly Based and I
>> would like to know if any of you guys suggest some tools for my work,
>> or a list, preferentially.
>
>
> I'd recommend you to do a comparative study for running or not running
> such an IDS at all. For most companies the practical trial has shown
> that running such an IDS requires a lot of effort, at least two
> full-time hired professionals and achieving very little security.
>
> Better wait 10 years until the log analysis have improved to a
> sufficient level of intelligence on automation.

Re: looking for IDS"s based on network behavior analysis

On Nov 6, 9:30 pm, bg wrote:
> Consider an IPS (Intrusion Prevention System). Some are IDSs with some
> expanded functionality and others are ground up built to go in-line.
> Check latency and throughput along with attack coverage and timeliness.
>
> IDSs are OK if as noted below you have lots of time OR have a specific
> need for forensics analysis (but at the cost of actually stopping anything).
>
> Some IPSs have integrations with NBAD vendors such as Mazu or Lancope.
> NBAD is good for the "low and slow" attacks and IPS for standard network
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

That's not entirely correct with modern NBADs. Yes, the old ones
suffered this problem but
many modern ones have a "resolution" as high as 1 minute. I'd not call
it too slow.
As such, they're valuable additions to IDS/IPS defenses (that have
their shares of problems too).

Best,

S.