Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IDS provisioning site analysis tool?

From: "Jerry Shenk" <jshenk () decommunications com>
Date: Mon, 12 Apr 2004 13:14:31 -0400
I think that's quite a bit what Sourcefire's RNA does.  Basically, it
learns what you have and then when alerts get detected, if it's not
applicable to your environment, then it's not a big issue.  So, if you
have all Apache web servers and you get hit with some Unicode directly
traversal attempts trying to run cmd.exe, it really doesn't matter.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Williams
Jon
Sent: Monday, April 12, 2004 12:43 PM
To: Snort Users List; Focus-Ids
Subject: [Snort-users] IDS provisioning site analysis tool?


I've been doing IDS work at one site for several years now and have
found that a lack of knowledge about what network traffic is supposed to
exist, one spends the majority of their efforts researching non-issues.
Having spent the time on my local network, I've got that understanding
here, but I'm considering locating sensors at other sites where that
knowledge is lacking.  Over the weekend, I got this wild hair that I'd
like a tool that I could run on the new sensor box prior to kicking up
the IDS.  This tool would do the following things:

- Monitor the network, displaying some form of a summary of connections,
probably organized by service port
- Passive OS and server fingerprinting to help differentiate Apache on
Linux from IIS on W2K, etc.
- Through a keypress (like "i"), flag a given service to be ignored in
the future and document what it is

Additionally, I think that it might be useful to be able to produce some
form of output that lists the applications/OSes found for use in
selecting IDS rules (i.e. use the file with some script that would
deactivate any snort.org rule for which there isn't a corresponding
target).  I doubt that this feature would be in any current tool,
although I think it could be useful.

The way I'm thinking, I'd do a site survey, identify everything I could
as a known application.  Whatever's left would need to be tracked down
and either documented as a proper business app or terminated.  Once
that's done, this tool could produce the "My Environment" list for use
in building IDS rulesets and/or continue running as a daily checkpoint
for new, unknown/unauthorized traffic.

So, does anyone know of a tool or a set of tools that can do this?  If
not, does anyone else see any value in such a beast?

Thanks.

Jon



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op,ick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listžort-users



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: