Re: Session statistics

[Bamm Visscher <bamm () satx rr com>]

If you want to use snort to glean session info, rather than a third party tool like Argus [0], then take a look at the 
spp_stream4 patch that is included with sguil [1]. From the comments in the patch:

/* Added a new stats type "db". The main purpose is to get session stats loaded
 * into the database for datamining using sguil (http://www.satexas.com/~bamf/sguil/).
 *
 * Config from snort.conf:
 * keepstats db /log/dir
 *
 *
 * Output is pipe deliminated and a new file (/log/dir/ssn_log.<milliseconds>)
 * is created each time the deleted sessions are flushed (see FLUSH_DELAY):
 *
 * xid|start_time|end_time|src_ip|dst_ip|src_port|dst_port|src_pckts|dst_pckts|src_bytes|dst_bytes
 *
 * xid is the time in milliseconds at SessionDelete.
 *
 *
 * Bammkkkk
*/

With the patch installed, the stream4 args in my snort.conf look like:

  preprocessor stream4: detect_scans, disable_evasion_alerts, keepstats db /snort_data/ssn_logs

If you run sguil, then sensor_agent.tcl passes the files to sguild for loading into the db. If not, you create a simple 
script that checks for new *.log files every n secs and use LOAD to get the pipe deliminated data into the DB. A mysql 
example would be:

  LOAD DATA LOCAL INFILE '<filename>' INTO TABLE sessions FIELDS TERMINATED BY '|'


BTW, what you've 'stumbled' on is part of what some of us call "Network Security Monitoring (NSM)".  Richard Bejtlich 
[2] posted a brief (but good) description here [3].  If anyone is interested, Rich is doing a webcast "Implementing 
network security monitoring with open source tools" on Aug 28th [4].

Oh, and I can't plug NSM without making mention of Todd Heberlein [5]. Rich and I both realize that we were lucky 
enough to begin our careers in the AFCERT and use technologies that evolved directly from Todd's work. 

Bammkkkk


[0] http://www.qosient.com/argus/
[1] http://sguil.sourceforge.net
[2] http://www.taosecurity.com
[3] http://marc.theaimsgroup.com/?l=snort-users&m=106028765509965&w=2
[4] http://taosecurity.blogspot.com/2003_08_01_taosecurity_archive.html#106122668702395935
[5] http://seclab.cs.ucdavis.edu/arpa/people/todd.html






On Thu, Aug 21, 2003 at 08:57:59AM -0500, John Creegan wrote:
> After staying late last night to find out who on my network had been hit
> with SoBig, I decided I needed a little bit of network analysis
> capability.
>
> I found the offending PC rapidly once I started snort with session
> statistics in machine format.  A few greps, slices and sorts later I had
> the beginnings of a network usage tool.
>
> I've searched the mail list archives and the snort website looking for
> the tool I need, and have not yet found it.  Before I go off and create
> this tool, I'd like to know if there already is a tool which can take
> advantage of the session.log data to tell me:
>      1. Who the top talkers are
>      2. Where the hotspots on the network are.
>
> If not, I'm thinking about creating a table in the snort database and
> then writing a bit of Perl to populate the table with the session stats.
>  I might then either write some php pages to add into ACID or write
> stored procedures or even more Perl to do a bit of analysis. 
> Ultimately, I'd rather add the capability to ACID.
>
> Anyone know of a way I can do this with existing tools?


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users