[unisog] mirage counterpoint

Peter Van Epp vanepp at sfu.ca
Fri Jun 17 16:39:32 GMT 2005


On Fri, Jun 17, 2005 at 10:56:27AM -0400, Mark Brochu wrote:
> Greetings all,
> 
> Recently we took a look at Mirage Network's Counterpoint appliance.  It 
> is a linux based appliance that looks for traffic "anomalies" by 
> listening on different vlans.  It does this by listening to ethernet 
> (arp) activity as well as other higher layer activity.  It uses a 
> behavior based as opposed to a signature based approach to detect 
> malicous traffic.  I am wondering if anyone here has had experience with 
> it or could mention any other appliance that uses a similar detection 
> mechanism.  Thanks much!
> 
> Mark Brochu
> Network Analyst
> University of Hartford
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

	While not an appliance (which may rule it out) a number of us here 
use argus (http://www.qosient.com/argus) in either the open source or 
commercial versions (depending on link speed) to do much the same. Personally
I've managed to shoot down all the "silver bullet, AI, fantastic, staffless
security appliances" that my boss has tried to buy for me (although he is 
still convinced there is one, he just hasn't found it yet) by putting them in
besided argus (I have a multiport regen tap on my links where argus runs 
partly for this very purpose :-)). So far bad things have shown up easily in
argus (noting that since I have been running it for 6 or 7 years now it has 
the advantage) and either not been findable at all even if the raw data is 
there or shown up as 1 report in 20 to 40 false positives. There is an oldish
article on our setup in 

http://www.usenix.org/publications/login/2001-11/pdfs/epp.pdf

and I expect after the end of next month there will be more since I've been 
strong armed in to being local content at the I2 Joint Tech workshop in 
Vancouver next month and there will be at least 2 presentations on argus 
there (and at least mine will likely be available online after that).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


More information about the unisog mailing list