This software network-based IDS product requires a dedicated machine running Solaris 8 on either Sun SPARC or Intel hardware. The hardware specification depends on the amount of traffic to be monitored, and gigabit monitoring interfaces are supported. We were supplied with a pre-installed system running on a Dell PowerEdge rack-mounted server - however, customers would have to provide their own hardware; prices quoted are for software only.
ManHunt uses multiple detection methodologies, including protocol anomaly detection, stateful signature detection, traffic rate monitoring, statistical flow analysis and IP frag reassembly. It also provides signature detection with custom signature support, but there is no signature database available from Symantec. However, a few signatures are embedded in the ManHunt state machines. Many exploits do not violate any protocols and therefore do not show up as protocol anomalies, so to make it effective, you must obtain lots of open-source signatures from Snort. Administrators can also create custom attack signatures using a subset of the Snort signature format.
The administration utility is a Java-based console running on Windows, Solaris or Linux, and installation of Java 2 Runtime Environment is required and included.
The administration console enables the definition which devices to monitor, to view incidents, to configure monitoring nodes and response policies, and to generate reports. Although this is used to create and manage policies, they are stored on a master node within the cluster of monitoring nodes.
The master node automatically propagates the policy database to the slave nodes in the cluster. Using a proprietary protocol called QSP proxy it ensures encrypted communication between the distributed components of the system.
With pre-defined, reporting and drill-down options, it provides filtering of reports by categories such as source IP, destination IP, protocol, port, etc. It can also record traffic for forensic analysis.
It is highly scalable to large networks and is easily integrated with other appliances. Depending on the hardware platform , one ManHunt node can monitor up to 12 Fast (100 Mbits/sec) Ethernet segments or four one-gigabit ports. Over 100 nodes can be configured to form a ManHunt cluster and the entire cluster can be managed from a single administration console.
Very nice user interface, easy to use, and scalable.
Does not offer advice on preventative action to ensure the attack does not happen again.
It does a good job of detecting protocol anomalies, but you need to download open-source signatures from Snort as none are provided in the box. Since the review Symantec says it has added signature packs and rapid response signatures.