I think SHADOW is still a very important part of an IDS architecture. I
helps you detect low and slow recon activity and is the ultimate forensic
analasys tool since you have the raw traffic. With todays IDS systems you
only see what shows up in your sensors that you specify so the ability to
correlate that with the RAW packet data helps reconstruct an event. It does
use lots of disk space depending on the amount of traffic you see and does
have some disadvantages. But I used to run the sensor portion right on the
same box with snort and it worked well.

Mike

-----Original Message-----
From: Benninghoff, John [mailto:JABenninghoffDainRauscher.com]
Sent: Wednesday, October 03, 2001 4:51 PM
To: jeffro
Cc: FOCUS-IDSsecurityfocus.com
Subject: RE: SHADOW IDS goodhost.filter

I installed SHADOW before Snort was available, and it's somewhat dated,
so you may want to look at Snort instead. However, SHADOW has some
unique advantages that I like and I plan on adding Snort and continue to
use SHADOW.

That said, I take a different approach to SHADOW detection than what
they describe in the documentation, although my method works best with
"well-defined" traffic.

I use the sensor filters only to filter out junk I don't care about
(routing protocols, non-IP traffic, etc) and traffic I can't filter with
the console filters.

On the console, I "develop" filters by first filtering virtually
nothing, then gradually adding rules to ignore traffic. They end up
looking something like this:

(not (src net 172.16 or src net 192.168.1.64/26 or dst net 224))
and
((tcp and tcp[13] & 2 != 0 and tcp[13] & 0x10 = 0) or udp)
    and not
    (
    (src net 192.168.2.64/26 and dst net 172.16.69/25 and tcp and (dst
port 514 or dst port 515 or dst port 21))
    or
    (udp dst port 161 and (src host 172.17.63.13 or src host
172.17.63.14 or src host 172.17.63.15))
    or
    (src host 192.168.102.15 and dst host 172.16.69.21 and tcp dst port
25)
    ... more rules here ...
    )
)

I split this into multiple filters (by protocol) when they get too big.

With this method, I ignore traffic that's "normal" and detect anomalous
traffic. I also use something similar to the included "tcp.filter" to
monitor administrative access (port 21,22, etc.) It sounds like
something similar would work for you.

-----Original Message-----
From: jeffro [mailto:jeffrojeffro.ch]
Sent: Wednesday, October 03, 2001 5:32 PM
To: 'FOCUS-IDSsecurityfocus.com'
Subject: Re: SHADOW IDS goodhost.filter

Sorry I come back to precise that of course I tryed to remove some of
the host and of course it's works with only 7 host in the filter.

but my question is: how can I do if I want (and I did) to filter 12
goodhost ? (and dont tell me : just put it on separated files... :-))

Best regards

Le 03 Oct 2001 18:13:38 -0400, security a ecrit :
> Hi everyone,
>
> I'm running since a few week SHADOW IDS and it looks like I have a
> little problem with the filters looking to dont log traffic wich
is
> "normal" for us.
>
> I'm set up 9 "goodhosts" and the tcpdump tell me that too many
host
> to proceed.
>
> Could any one tell me any thing about it or have any suggestion ?
>
>
>
> Jeff
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]