Near Real-Time Detection (Razorback) is the result of extensive research into detection of attacks hidden inside numerous layers of compression, obfuscation, and evasion techniques across multiple file formats. Razorback in its current form is a plugin to the Snort detection engine. Razorback addresses the issues with file format parsing by separating selected file types from transmitted data, which are then passed to additional detection engines either on local or distributed remote system(s). The intention is for the system to be extensible and not necessarily be a plugin for Snort.

Future development plans include providing Snort with automatic detection rule updates that an IPS deployment of Snort can use to protect the private network along with further enhancements aimed at data leak prevention. The system will also use templates to describe file types and a simple rule language to detect attacks.

Click here for code and presentation

This paper provides readers with an excellent overview of the criteria that need to be followed to select and properly scale an IDS / IPS enterprise installation.

It ranks the criteria as Must Have, Should Have, and Good to Have so you can prioritize different vendors’ IDS features.

This paper is a MUST-HAVE prior to starting any IDS / IPS implementation project.

http://www.snort.org/docs/IDS_criteria.pdf