Classnotes | UNIX03 | RecentChanges | Preferences SHADOW is a sophisticated tool for analyzing intrusion attempts and successes and recognizing patterns of many intrusion attempts in large volumes of otherwise normal traffic.
It operates in near real-time, generating alerts and capturing packets for further analysis and for evidence in subsequent legal action. It can detect stealth scans done via TCP "half-opens", sending ICMP echo replies, etc.
SHADOW was produced as a joint effort between the NSWC (Naval Surface Warfare Center) Dahlgren, NFR, NSA, the SANS community and other interested parties.