[Oisf-users] Anomaly-based vs Rule-based NIDS
Cooper F. Nelson
cnelson at ucsd.edu
Wed Mar 4 19:37:32 UTC 2020
It depends on how you define 'anomaly' and whether or not you can
express that in the suricata rule language.
You can write rules to detect protocol anomalies using keywords. Like
'!tls' against TCP port 443 traffic.
There are also rulesets to detect anomalies within protocols:
https://github.com/OISF/suricata/tree/master/rules
I periodically discuss this in presentations, if you build a 'zero
trust' network and define authorized servers, ports and protocols you
can then write rules to alert against any traffic that doesn't match that.
-Coop
On 3/4/2020 11:02 AM, Lucas Augusto Mota de Alcantara wrote:
> Hello everyone. I'd like to know if there's any available data or
> piece of information about the popularity of Rule-Based NIDS in
> comparison with Anomaly-Based NIDS in the market.
>
> Does Suricata have any kind of anomaly-based detection tool or it only
> works with signatures?
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
More information about the Oisf-users
mailing list