Snort mailing list archives
Re: OpenSource Alternative to SourceFire's RNA
From: "Josh Berry" <josh.berry () netschematics com>
Date: Wed, 31 Mar 2004 09:39:27 -0600 (CST)
I am not looking for correlation, I have already done a great deal of development on an application that correlates Snort/Nessus/Windows Event Logs/and working on Firewall logs. What I want is something that tracks MAC's across the network, updating information such as current IP address, operating systems, port being used, and services running on the used ports. This information should be collected passively like SourceFire's RNA or similar to Tenable's NeVo product. With this kind of information an adaptive security environment could be created that automatically tunes IDS/VA devices to match the current threat level for the network environment. The only way I know of how to do this is to create signatures in Snort that recognize specific services and Operating Systems, log them in a format such as CSV and then run a background process that tails the CSV file and inputs new information into a database, or updates old information with current changes. This method however would be a big undertaking as there are thousands of applications and versions out there. The most efficient method I can think of is to classify application types (DB/WWW/FTP/DNS) with common port listings and assign signatures to the class listings in one big database. Once done a script could be created to automatically generate the signatures. Thanks
--On 30 March 2004 09:25 -0600 Josh Berry <josh.berry () netschematics com> wrote:Is anyone working on OpenSource Alternatives to SourceFire's RNA product? I was thinking about using p0f to dump OS information into a file and then export it to a database but I really would like to gather service level information and eventually passively identify vulnerabilities. The only ways that I can think of getting any of this kind of information passively is with NTOP or developing signatures for Snort alerting on specific services (Seeing Apache 1.3.29 in an HTTP string), sending that data to a file and then exporting it with another program only updating new entries. At any level it would be a massive undertaking, anyone interested?OS-Sim <http://www.ossim.net> looks like the way to go; it correlates the results of previous Nessus scans with Snort alerts, and bumps the priority of alerts appropriately. Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- OpenSource Alternative to SourceFire's RNA Josh Berry (Mar 30)
- Re: OpenSource Alternative to SourceFire's RNA AJ Butcher, Information Systems and Computing (Mar 31)
- Message not available
- Re: OpenSource Alternative to SourceFire's RNA AJ Butcher, Information Systems and Computing (Mar 31)
- Message not available
- Re: OpenSource Alternative to SourceFire's RNA Josh Berry (Mar 31)
- Re: OpenSource Alternative to SourceFire's RNA AJ Butcher, Information Systems and Computing (Mar 31)