:2. Have they been useful or just generated noise and excess cycles? (1 -
:waste of time, 10 - water walker)
:3. Any 'real-world' comparative/useful data and/or opinion on different
:approaches...ie pattern matching, anomoly detection and/or data mining
The only real value from IDS data is based upon your ability to mine
and interpret it. This is something that IDS vendors have utterly
failed to provide a solution to, and something that most customers
haven't totally wrapped their head around.
In fact, a seperate IDS data mining and interpreting industry has
popped up with players like NetForensics, Intellitactics and I'm
sure there are others. In fact, if SilentRunner took snort logs
(I haven't checked in a while) it would be an ideal solution for
It is to the point where it really doesn't matter what brand of
sensor you install, as none of them do data corelation effectively
enough to be used without a third party data mining solution, for
installations of more than a single sensor.
I have found that even having 0-day signatures for the most obscure
and dangerous exploits, doesn't add much value to an IDS. This
is because even a skript kid with 0-day warez is going to probe,
portscan and reach for low hanging fruit before they will risk exposing
their more valuble toys to a potential honeypot. All an IDS is, is
a policy monitoring device, which you use to make operational decisions,
and potentially to augment your policy enforcement.
The value of IDS data is really only uncovered through corelation.
Anomaly based systems try to do this as part of the detection process,
whereas signature based systems assume it will be done in post processing.
Anomalies are ultimately just a different kind of signature anyway.
With things like ACID and other front ends to Snort, IMHO, the best
view of the data you can get is a listing of source ip addresses with the
number of unique alerts they generated over a long period of time.
The visualization tools from Intellitactics look like they were lifted
from caida.org. This doesn't undermine how useful and cool they are,
but it suggests that someone with more skills than I, will think of a
way to parse snort logs into something like NetCDF or some other
scientific visualization format for use with real visualization and
data mining tools.
I spend most of my day watching IDS's that generate massive amounts of
data, and this information is based upon that experience.