SHADOW is an Intrusion Detection system based on PC class hardware running 
freely available software components. A SHADOW system consists of at least 
two pieces: a sensor located at a point between an organization's firewall 
and its Internet connection; and an analyzer located inside the firewall. 
SHADOW performs traffic analysis; the sensor collects address information 
from all IP packets that travel between an organization and the Internet; 
the analyzer examines the collected data and displays user defined "events 
of interest" on a web page. SHADOW is based on tcpdump and libpcap software 
packages developed at the Lawrence Berkeley Laboratory to collect packet 
address information and to filter the collected traffic data according to 
user defined criteria. Software developed at the Naval Surface Warfare Center 
Dahlgren Division converts the filtered results into web pages and provides 
a set of supporting tools for a web server on the analyzer station. An 
intrusion detection analyst examines the results using any web browser.  
SHADOW displays traffic patterns based on filters constructed by an analyst 
to identify traffic other than typical. Stock SHADOW filters display 
anomalous activities such as Back Orifice probes, Land attacks, or the 
Ping of Death. Analysts are encouraged to modify and add to the filters as 
their needs dictate. Knowledgeable analysts are key to successful SHADOW 
implementations.
