Recourse Technologies next week will announce version 2.0 of its ManHunt intrusion detection system (IDS), adding new customization, correlation and reporting features.

ManHunt 2.0 is an intrusion detection, analysis and response system that operates at nearly 1G bit/sec, says Frank Huerta, president, CEO and founder of Recourse, based in Redwood City, Calif.

It differs from most IDSs in that it looks for attacks based on what Recourse calls protocol anomalies, meaning a deviation in how a given protocol is supposed to appear. That approach enables ManHunt to detect even new forms of attacks, he says.

Traditional IDSs rely on intrusion signatures to find attacks, which is code that describes what an attack looks like. While ManHunt also supports a signature approach, using that strategy alone will catch only those forms of attacks that have been previously identified.

Another ManHunt differentiator is its speed, as most other IDSs can monitor only about 100M bit/sec of traffic at a time, Huerta says.

ManHunt 2.0 makes it easier for customers to add custom signatures and to watch for specified behavior in inbound or outbound traffic. ManHunt can import any signature that uses the Snort freeware IDS format, says Fred Kost, vice president of marketing and product development for Recourse.

It can also be programmed to watch for specific words, such as "confidential" or the names of companies involved in an impending merger. Additionally, the product can also now tap into traffic flow statistics on network routers, to help track hackers by determining where packets are going to and coming from.

Software development kit on the way

Analysis capabilities have been improved with the ability to correlate data coming from multiple ManHunt nodes as well as from third-party security tools. Products from Cisco, Internet Security Systems, Enterasys and Snort.org are supported now, Kost says, and an XML-based facility enables Recourse to more easily develop support for additional vendors as requested by customers.

A software development kit that enables customers to develop third party plug-ins on their own is under development, he says.

A new policy-based traffic recording feature enables users to capture more data about new forms of attacks. For example, an electronic commerce site that is particularly interested in new forms of HTTP-based attacks can detail parameters under which ManHunt's traffic recorder will kick in. Should a conforming HTTP attack occur, the idea is that ManHunt will be able to capture enough data such that the customer can write a signature to detect the same type of attack in the future.

Reporting capabilities have also been enhanced in ManHunt 2.0. Users can program the console to kick off various forms of alerts depending on alarm severity and type. And new Web- and SQL-based reporting tools enable customers to create custom charts and graphs that detail threat summaries and identify trends.

ManHunt 2.0 is scheduled to be available March 1. Pricing starts at $25,000 for a configuration capable of monitoring about 200M bit/sec of traffic. A 1G version costs about $100,000. Huerta says most of the company's 120+ customers have deals worth around $100,000.