A Single IDS Console Please: ManHunt 2.1 Pilot Test

Many companies have deployed a variety of network intrusion detection systems (NIDS) over time as their networks and security strategies have evolved. We certainly found ourselves in this position at the company I work for. We had deployed Snort1, Dragon2 and ManTrap3 on the network, not to mention Tripwire4 and all of the host system log files we have to audit. This created a piecemeal system that left us with several administration consoles and hundreds of events to sort through. We needed a way to bring them together into a single console that would enable our security personnel to aggregate, correlate and analyze them. Furthermore, we wanted to add more sensors to our network, and preferably sensors that were based on a different technology than the signature based systems we had already deployed. ManHunt5, a protocol anomaly based NIDS offered by Recourse Technologies6, seemed like it would fill our requirements. After a demo from Recourse we decided to initiate a pilot of the product, which I had the opportunity to coordinate and implement. This paper will focus on the features that were evaluated in the pilot against the high level functional requirements specified here.