Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: CEREBUS 1.2 Alert Browser and Data Correlator

From: "Donofrio, Lewis" <donofrio () umich edu>
Date: Tue, 27 Aug 2002 11:00:07 -0400
Geesh, URL should have read:

www.smoothwall.org

--stuttering as I type <G>
______________________________________________________________________ 
Lewis   Donofrio () umich edu   College of Literature, Science, & Arts 
1007 East Huron, Room 201,      BetaID:243340   Cell: (734) 323-8776
Ann Arbor,MI 48104-1690 www.umich.edu/~donofrio  Fax: (734) 647-8333 



-----Original Message-----
From: Donofrio, Lewis 
Sent: Tuesday, August 27, 2002 10:26 AM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] CEREBUS 1.2 Alert Browser and Data 
Correlator


Gentle People,

Anyone use www.smmothwall.org gpl 0.9.9se around here?  I 
tried to run this util on my firewall but I cannot locate the 
.map file required? This ISO runs Version 1.8.1-RELEASE 
(Build 74) and I've been looking in the \var\logs\snort but 
none found?  

--Just wondering....
---anyone got a php script that will email the ip owner of 
ATTACKING machines? ----I have a vbs script I run for my 
cheesy blackice service. 
______________________________________________________________
________ 
Lewis Donofrio () umich edu   College of Literature, Science, & Arts 
1007 East Huron, Room 201,    BetaID:243340   Cell: (734) 323-8776
Ann Arbor,MI 48104-1690       www.umich.edu/~donofrio  Fax: 
(734) 647-8333 



-----Original Message-----
From: Dragos Ruiu [mailto:dr () dursec com]
Sent: Monday, August 26, 2002 10:39 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] CEREBUS 1.2 Alert Browser and Data Correlator


////////////////////
// Announcing the release of CEREBUS v1.2 ////////////////////

What is CEREBUS?

CEREBUS is a text-based full screen alert analysis system for
Snort unified alert output.  It lets you load multiple snort 
alert files into its 
embedded database system and make real-time queries to quickly 
delete noise alerts. It is a statically linked standalone 

binary and 

does not require you to set up any additional data base 
software to analyze Snort IDS output.

Cerebus is intended for Intrusion Detection System analysts who
deal with a large volume of IDS probe data and alert logs and need 
to efficiently process these large amounts of data, 
potentially over a remote connection, or individuals who wish 
to use the Snort IDS but 
do not want to deal with the complexity or installing a 

full database 

manager for managing and browsing alerts or who desire to make 
their log analysis time as short and efficient as possible.

What it lacks in eye-candy (fancy fonts, gui buttons) it
makes up for in raw speed and efficiency of processing alerts 
and the ability rapidly identify small important anomalies in 
large data sets.  It is also useable over a network link 
without having to import those large data sets to your local 
machine... so if you have a large fast machine as your 
central repository or you want to analyze 
the data on the probe machine directly you can do all the 

processing 

there (Cerebus is also very CPU efficient compared to an SQL 
database) and still use it from your own desktop - 
independent of what your desktop machine is - without waiting 
for a slow web gui to update or a database to run queries.

Feed Cerebus Snort unified alert files from /var/log/snort. (Follow
the snort config instructions on the first Cerebus screen to 
set up unified output, if you are unfamiliar with this.)

Cerebus won't impress your manager with fancy pie charts, but it
may speed up your alert analysis to let you examine events in 
detail that would otherwise get ignored. Cerebus will let you 
hopefully 
spend less time minding the IDSes and more time enjoying summer.

The Lite version is the free non-commercial version intended
for smaller environments and individual use. The information 
below pertains to both the commercial licensed version and 
the free Lite 
version. The commercial version features support for more alert 
input file formats and sources, writing ability to save 

edited alert 

sets/reports, and enhanced multi-source data management.

////////////////////
// What's new in this release:
////////////////////

-Alert Priority and Classification Display

-Sort/Collapse/Removal by Priority and Classification

-Collapsing similar alerts (source, dest, alert type etc...)

-Statistics modes (in conjunction with collapsing) and 
  Alert counts.

-New partial processing for _very_ large alert files.
 It will deferr processing until you scroll to the data when 
 you choose a collapse mode. The number in parentheses
 after the number of alert records indicate the number 
 of collapsed records after display collapse. (note the 
 number will change as you scroll through the file 
 and incremental processing happens.)

-New high speed mini-curses library.
 I got tired of futzing with statically compiling curses, I was 
 looking through the code and said, "yuck, look at all this 
 crap", "curses" indeed. Who in this day and age needs 
 ASCII windowing and support for Morrow InterTube magic 
 cookie terminals?  Everything (well almost :-) in the known 
 universe uses the ansi/vt1x0/vt2x0 command set - so I 
 stripped out the gunk for everything except that in my 
 reimplementation! So you can use anything like an xterm 
 (use a wide one to see all the fields), or a linux/bsd/console, 
 pc terminal program, remote ssh whatever...  I'm afraid 
 that if, like me, you have something odd like a wyse terminal 
 you are sol about using this on it :-) By losing all the 
 termlib/terminfo crap and a lot of unused functionality,
 the low swearing diet plan reduced this libary's waistline 
 by more than 10x and gained noticeable execution 
 speedups.

-Fast scrolling.
 The benefit to reimplementing curses is that I have removed
 all library dependencies and I even removed stdio and libc  
routines.  My new small fast library makes scrolling much 
 snappier (I can't really tell the difference betwee a p-200  
and gig athlon) - and it is now realistic to lean on the page 
 down key and hop-over a few tens of thousands of alerts. 
 The mini-curses library (libcuss? short version of curse? 
 libless? a blessing would be the opposite of a curse? :-) 
 should also send less characters overall in bigger blocks 
 than normal curses to describe the same screen, so it 
 should still work fine over network ssh'es, or even serial  
consoles - probably even better than the original curses  
(since it essentially hasn't been touched since the early 
 80's and the System V Release 2 version that has propagated
 in both Linux and BSD.).
 
-Static binaries with no library dependencies.
 The Linux, FreeBSD, OpenBSD, (and OSX as soon as I
 upload the recompile to the web servers) versions on the
 web servers are now there.  I'm happy to say that except
 for open/close, read/write, malloc/free (and ioctl on bsd),  
this stuff is libc bloat free. These binaries should run on 
 any systems without library futzing. I'm happy with the 
 portability of my code :-).

-The sparc version is still unavailable because the
 donated sparcstation doesn't seem to like either video 
 or serial consoles...sigh.

-Itanium and Alpha versions of Cerebus will be added
 to release sets soon with these new portability improvements 
 in this version. (Thanks Chris)

////////////////////
// Cool things you can do with Cerebus:
////////////////////

-Look at the count statistics for each kind of alert in a set
of files?
        how:
                1. Merge the files into the db
                2. (S)ort by (A)lert
                3. (C)ollapse by (A)lert

-Delete all of a certain kind of alert for a single 

destination host? 

        how:
                1. Merge the files into the db
                2. (S)ort by (D)estintaiton (I)P
                3. (S)ort by (A)lert
                4. (C)ollapse by (D)estination (I)P
                5. Move to host/alert pair you want to 
                    nuke and delete it using (R)emove
                    (D)estintaion (I)P or (D)elete

-Look at the Alert activity by port?
        how
                1. Merge the files into the db
                2. (S)ort by (D)estintaiton or (S)ource (P)ort
                3. Collapse by the same choice

////////////////////
// Cerebus Tutorial:
////////////////////
    Cerebus is intended to be a paring tool - to cut away
    uninteresting data and get to the core of security issues.  
    The usual way I use Cerebus is to load in the alert files 
    I want to look at and remove the noise before analyzing 
    anything in detail.
    
    The quick way to get rid of data is to collapse it and then
    delete the collapsed line.  In this way usually hundreds of
    thousands of alerts can be reduced to mere hundreds of
    lines to looks at in more detail.
    
    My usual first step is to get rid of the alert types I don't
    care about (things like code red on web servers etc..) I
    usually sort by alert and then collapse by alert to nuke
    alert types I don't like.  Then I usually weed out noisy or
    often falsing hosts, by sorting on destination ip and port.

    You can then use port sorting to eliminate some noisy 
    protocols.

    After I get rid of the noise... I then usually sort by
source and
    colapse and start investigating the hosts that have been
    sending a lot of crap... So far I am pleased to report Cerebus
    has dramatically decreased the amount of time I have to
    spend looking over alert files - It lets me manage and analyze
    volumes of alerts that were previously infeasible to look
    through for anomalies and interesting data (and would
    probably have wound up in the bit-bucket without Cerebus).

    It works best in as large an xterm as you can fit on your
    screen with small font sizes... because the scrolling is very
    fast, you can hop over impressive amounts of data rapidly 
        just using page up and page down. You can do corellation
    by using the differnet sort and collapse modes to delete the
    data between events of interest and look at multi-machine 
    events side by side. Reloading the same file lets you restore 
        those events that you deleted when examining certain 
    hypotheses...

////////////////////
// Cerebus Hints:
////////////////////
        -In the upper right corner of the screen are
indicator toggles for the
         collapse modes. To toggle a collapse mode <off> just 
reselect it.
        -The sort order is a stack.  It gets reset when you 
sort by (E)vent
        -You can see the sort stack indicator in the upper 
right next to the 
         collapse indicators.
        -The (E)xpand command will clear all collapsing. All 
the records
         will be ungrouped as you page through the data.
        -If you accidentally deleted some records you can 

re-merge the

         files you loaded earlier. Cerebus will tell you how 
many records 
         it restored. It will automatically weed out 
duplicate event IDs.
        -If you are analyzing live files that snort is 
writing to, you can      
         re-merge the files to get the new records recently 
written out.
        -Flipping over alert files daily/weekly seems to be a 
nice way 
         to manage datasets.

////////////////////
// Cerebus Caveats:
////////////////////
        -Cerebus is not perfect. It's just zippy. If it 

crashes on you

     you have either found a bug and you should tell me or you
     need more memory :-). (It will give a diagnostic in this case)

////////////////////
// Where to get cerebus:
////////////////////


http://dragos.com/cerebus/cerebus-linux-v1.2
http://dragos.com/cerebus/cerebus-fbsd-v1.2
http://dragos.com/cerebus/cerebus-obsd-v1.2

I hope it saves you some time. Feedback and requests welcome.

////////////////////
// Mandatory Commercial Content:
////////////////////

-dr is available for ids consulting and analysis and system 
 projects. cerebus is available for custom implementation 
 integration. more toys under construction. Since Sourcefire  
hasn't recently been farming out any more remote development 
 work now that they have a full team in-house in MD I am 
 actively seeking development and consulting contracts 
 until I get busy with my conference preparations again.

cheers,
--dr


-- 
dr () dursec com  pgp: http://dragos.com/dr-dursec.asc
Advance CanSecWest/03 registration available: 
http://cansecwest.com "The question of whether > computers can 
think is like the question
  of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same 
old cell phone?  Get a new here for FREE! 
https://www.inphonic.com/r.asp?r=urceforge1> &refcode1=3390


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/s> nort-users

Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=ort-users


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same 
old cell phone?  Get a new here for FREE! 
https://www.inphonic.com/r.asp?r=urceforge1> &refcode1=3390


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/s> nort-users

Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: