On Fri, 31 May 2002, Brandon Knicely wrote: :2. Have they been useful or just generated noise and excess cycles? (1 - :waste of time, 10 - water walker) :3. Any 'real-world' comparative/useful data and/or opinion on different :approaches...ie pattern matching, anomoly detection and/or data mining :approaches? The only real value from IDS data is based upon your ability to mine and interpret it. This is something that IDS vendors have utterly failed to provide a solution to, and something that most customers haven't totally wrapped their head around. In fact, a seperate IDS data mining and interpreting industry has popped up with players like NetForensics, Intellitactics and I'm sure there are others. In fact, if SilentRunner took snort logs (I haven't checked in a while) it would be an ideal solution for many. It is to the point where it really doesn't matter what brand of sensor you install, as none of them do data corelation effectively enough to be used without a third party data mining solution, for installations of more than a single sensor. I have found that even having 0-day signatures for the most obscure and dangerous exploits, doesn't add much value to an IDS. This is because even a skript kid with 0-day warez is going to probe, portscan and reach for low hanging fruit before they will risk exposing their more valuble toys to a potential honeypot. All an IDS is, is a policy monitoring device, which you use to make operational decisions, and potentially to augment your policy enforcement. The value of IDS data is really only uncovered through corelation. Anomaly based systems try to do this as part of the detection process, whereas signature based systems assume it will be done in post processing. Anomalies are ultimately just a different kind of signature anyway. :) With things like ACID and other front ends to Snort, IMHO, the best view of the data you can get is a listing of source ip addresses with the number of unique alerts they generated over a long period of time. The visualization tools from Intellitactics look like they were lifted from caida.org. This doesn't undermine how useful and cool they are, but it suggests that someone with more skills than I, will think of a way to parse snort logs into something like NetCDF or some other scientific visualization format for use with real visualization and data mining tools. I spend most of my day watching IDS's that generate massive amounts of data, and this information is based upon that experience. Cheers, -- batz