[unisog] mirage counterpoint

Ryan Sumida rsumida at csulb.edu
Fri Jun 17 17:06:23 GMT 2005


I'm not very familiar with Argus but I've heard many good thing about it. 
That being said, our Network group did a short eval of the Counterpoint 
appliance about 4 months ago.  One feature that may differentiate it from 
Argus is that it can also run active prevention mechanisms along with 
passivly monitoring the network.  Arp manipulation and  tarpitting/honey 
pots are among the feature sets. 

Ryan Sumida
Network Engineer
CSU Long Beach



unisog-bounces at lists.sans.org wrote on 06/17/2005 09:39:32 AM:

> On Fri, Jun 17, 2005 at 10:56:27AM -0400, Mark Brochu wrote:
> > Greetings all,
> > 
> > Recently we took a look at Mirage Network's Counterpoint appliance. It 

> > is a linux based appliance that looks for traffic "anomalies" by 
> > listening on different vlans.  It does this by listening to ethernet 
> > (arp) activity as well as other higher layer activity.  It uses a 
> > behavior based as opposed to a signature based approach to detect 
> > malicous traffic.  I am wondering if anyone here has had experience 
with 
> > it or could mention any other appliance that uses a similar detection 
> > mechanism.  Thanks much!
> > 
> > Mark Brochu
> > Network Analyst
> > University of Hartford
> > 
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
> 
>    While not an appliance (which may rule it out) a number of us here 
> use argus (http://www.qosient.com/argus) in either the open source or 
> commercial versions (depending on link speed) to do much the same. 
Personally
> I've managed to shoot down all the "silver bullet, AI, fantastic, 
staffless
> security appliances" that my boss has tried to buy for me (although he 
is 
> still convinced there is one, he just hasn't found it yet) by putting 
them in
> besided argus (I have a multiport regen tap on my links where argus runs 

> partly for this very purpose :-)). So far bad things have shown up 
easily in
> argus (noting that since I have been running it for 6 or 7 years now it 
has 
> the advantage) and either not been findable at all even if the raw data 
is 
> there or shown up as 1 report in 20 to 40 false positives. There is an 
oldish
> article on our setup in 
> 
> http://www.usenix.org/publications/login/2001-11/pdfs/epp.pdf
> 
> and I expect after the end of next month there will be more since I've 
been 
> strong armed in to being local content at the I2 Joint Tech workshop in 
> Vancouver next month and there will be at least 2 presentations on argus 

> there (and at least mine will likely be available online after that).
> 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20050617/4725b949/attachment.htm


More information about the unisog mailing list