Anyone know which opensource network IDSs are using anomaly techniques? My project is to compare them, so if you could give me some hints, that would be much appreciated.
Currently, I am looking at Snort with SPADE and Snort.AD pre-processor. Bro also claims to be able to detect novel attacks (anomaly detection function), but I can't find any documents explaining how Bro achieved that.
That's funny, I was just reading about SPADE yesterday because I had a similar question. I'd be curious to hear more about what you come up with.
Meanwhile, I can point you to some other resources. There has been some talk about anomaly detection on the dailydave mailing list over the past two months, but no particular tool or technique stood out and there was a bit of a blast over a missing video. Perhaps worth checking out, though.
My introduction to anomaly detection was around a decade ago via Ourmon (free, open-source software) and Lancope (commercial). Shortly thereafter, SPADE and Bro started to appear on the scene as potentials in the open-source space. I had always been curiously into NetFlow data as an anomaly source, and today you have FOSS tools such as FlowMatrix or FlowBAT if you prefer the CERT SiLK tools.
I have run across one use of Bro (via the SecurityOnion project) to perform DNS anomaly detection. Typically, others are integrating their detective capabilities into Splunk (as there are many books written) -- and in particular, the Prelert toolsuites are focused in that direction (with demos, much like Splunk). To that end, I also found this page on syslog anomaly-based log analyzers. Finally, a tool called Skyline appeared interesting, albeit starting from a more ITOps perspective.
