Baselining: The foundation of Specification Based IDS

Hi all,

I like the idea of specification based IDS, and since Vern has mentioned about it, I would like to gather the idea or suggestion of anyone who has done network baselining for their network, what are the tools and methodologies used by people around here to build the baseline of their network, and what kind of data are important for that matter(for example I myself prefer to use statistical and flow based tools to do that) however I really like to hear from the bro community.

I know it should be different when applying on different networks but getting the idea is great.


Hello everybody,

As announced by Vern, to use specifications is a very good method and
the concepts used by Bro show their interest fully.
For me the specifications go first of all by a phase of
recognition to the direction training of what exists.
The problem within the framework of campus or corporate networks is
that the environment should already be known because it may be that
needs (speaking of networks flows) exist and who seem us odd while
being legitimate.
If in the case of a local area network, to obtain information is more
or less easy, in the case of distant sites, it is less obvious.
In this case, i used Netflow technology which enabled me to check
what occurred and then allow me to act.

Please note that i used statisticals methods over the Netflow data in
order to get accurate results (i had more than 100 routers/switchs).

Best regards,