Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Reeves, Michael (GEAE, Compaq) (michael.reevesae.ge.com)
Date: Thu Oct 04 2001 - 09:53:39 CDT
I think SHADOW is still a very important part of an IDS architecture. I
helps you detect low and slow recon activity and is the ultimate forensic
analasys tool since you have the raw traffic. With todays IDS systems you
only see what shows up in your sensors that you specify so the ability to
correlate that with the RAW packet data helps reconstruct an event. It does
use lots of disk space depending on the amount of traffic you see and does
have some disadvantages. But I used to run the sensor portion right on the
same box with snort and it worked well.
From: Benninghoff, John [mailto:JABenninghoffDainRauscher.com]
Sent: Wednesday, October 03, 2001 4:51 PM
Subject: RE: SHADOW IDS goodhost.filter
I installed SHADOW before Snort was available, and it's somewhat dated,
so you may want to look at Snort instead. However, SHADOW has some
unique advantages that I like and I plan on adding Snort and continue to
That said, I take a different approach to SHADOW detection than what
they describe in the documentation, although my method works best with
I use the sensor filters only to filter out junk I don't care about
(routing protocols, non-IP traffic, etc) and traffic I can't filter with
the console filters.
On the console, I "develop" filters by first filtering virtually
nothing, then gradually adding rules to ignore traffic. They end up
looking something like this:
(not (src net 172.16 or src net 192.168.1.64/26 or dst net 224))
((tcp and tcp & 2 != 0 and tcp & 0x10 = 0) or udp)
(src net 192.168.2.64/26 and dst net 172.16.69/25 and tcp and (dst
port 514 or dst port 515 or dst port 21))
(udp dst port 161 and (src host 172.17.63.13 or src host
172.17.63.14 or src host 172.17.63.15))
(src host 192.168.102.15 and dst host 172.16.69.21 and tcp dst port
... more rules here ...
I split this into multiple filters (by protocol) when they get too big.
With this method, I ignore traffic that's "normal" and detect anomalous
traffic. I also use something similar to the included "tcp.filter" to
monitor administrative access (port 21,22, etc.) It sounds like
something similar would work for you.
From: jeffro [mailto:jeffrojeffro.ch]
Sent: Wednesday, October 03, 2001 5:32 PM
Subject: Re: SHADOW IDS goodhost.filter
Sorry I come back to precise that of course I tryed to remove some of
the host and of course it's works with only 7 host in the filter.
but my question is: how can I do if I want (and I did) to filter 12
goodhost ? (and dont tell me : just put it on separated files... :-))
Le 03 Oct 2001 18:13:38 -0400, security a ecrit :
> Hi everyone,
> I'm running since a few week SHADOW IDS and it looks like I have a
> little problem with the filters looking to dont log traffic wich
> "normal" for us.
> I'm set up 9 "goodhosts" and the tcpdump tell me that too many
> to proceed.
> Could any one tell me any thing about it or have any suggestion ?