Snort mailing list archives
Status of aircert project?
From: "Michael Scheidell" <scheidell () fdma com>
Date: Fri, 19 Oct 2001 11:13:34 -0400
I was wondering what the status of the aircert project was. Reason I asked, was that the communal gathering and comparison of alert/attack data seems important. It shows worm trends, tracks trojans and hacker activity, and if done right could also allow a security admin determine if he is the only one being attacked by a certain ip or if this is a skiddie. One of the projects I have been involved in is the mynetwatchman DIDS. Sounds a little like aircert. (www.mynetwatchman.com) You can get a free perl (or windows) agent to auto upload your attack data. It started out just monitoring blackice firewalls, but added zonealarm as well. Now, through a open source perl agent, it supports CISCO IOS,PIX, IPFW, iptables, ipchains, portsentry,sonicwall,tcp_wrapper and snort csv formats. there is a Linux rpm package and a generic tgz for other unixes. It can even update iptables (so, snort can update iptables through mynetwatchman client!) It differs from incidents.org /dshield concept in that each individual 'agent' can view his/her own daily statistics via a web page (check to see if he is the only one attacked) and how many of his reports resulted in an alert to the isp. Oh yes, the other thing it does is that when the attacks reach a 'threshold determined by port number and agent count, they get auto-escalated to the isp. Remember the Leave32 worm? Look at incidents.org info on that. It was first discovered by mynetwatchman traffic analysis and info sent to incidents.org. Does this fit in any with aircert? Is there any reason to ask Lawrence Baldwin at mynetwatchman to forward aggregated attack data to aircert as well as incidents.org? -- Michael Scheidell _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Status of aircert project? Michael Scheidell (Oct 19)