[Bro] Baselining: The foundation of Specification Based IDS
jean-philippe luiggi
jean-philippe.luiggi at didconcept.com
Sun Nov 11 07:23:15 PST 2007
On Sun, 11 Nov 2007 15:08:54 +0800
"CS Lee" <geek00l at gmail.com> wrote:
> Hi all,
>
> I like the idea of specification based IDS, and since Vern has
> mentioned about it, I would like to gather the idea or suggestion of
> anyone who has done network baselining for their network, what are
> I know it should be different when applying on different networks but
> getting the idea is great.
Hello everybody,
As announced by Vern, to use specifications is a very good method and
the concepts used by Bro show their interest fully.
For me the specifications go first of all by a phase of
recognition to the direction training of what exists.
The problem within the framework of campus or corporate networks is
that the environment should already be known because it may be that
needs (speaking of networks flows) exist and who seem us odd while
being legitimate.
If in the case of a local area network, to obtain information is more
or less easy, in the case of distant sites, it is less obvious.
In this case, i used Netflow technology which enabled me to check
what occurred and then allow me to act.
Please note that i used statisticals methods over the Netflow data in
order to get accurate results (i had more than 100 routers/switchs).
Best regards,
Jean-philippe.
More information about the Bro
mailing list