Snort mailing list archives
RE: IDS provisioning site analysis tool?
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Mon, 12 Apr 2004 13:14:31 -0400
I think that's quite a bit what Sourcefire's RNA does. Basically, it learns what you have and then when alerts get detected, if it's not applicable to your environment, then it's not a big issue. So, if you have all Apache web servers and you get hit with some Unicode directly traversal attempts trying to run cmd.exe, it really doesn't matter. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Williams Jon Sent: Monday, April 12, 2004 12:43 PM To: Snort Users List; Focus-Ids Subject: [Snort-users] IDS provisioning site analysis tool? I've been doing IDS work at one site for several years now and have found that a lack of knowledge about what network traffic is supposed to exist, one spends the majority of their efforts researching non-issues. Having spent the time on my local network, I've got that understanding here, but I'm considering locating sensors at other sites where that knowledge is lacking. Over the weekend, I got this wild hair that I'd like a tool that I could run on the new sensor box prior to kicking up the IDS. This tool would do the following things: - Monitor the network, displaying some form of a summary of connections, probably organized by service port - Passive OS and server fingerprinting to help differentiate Apache on Linux from IIS on W2K, etc. - Through a keypress (like "i"), flag a given service to be ignored in the future and document what it is Additionally, I think that it might be useful to be able to produce some form of output that lists the applications/OSes found for use in selecting IDS rules (i.e. use the file with some script that would deactivate any snort.org rule for which there isn't a corresponding target). I doubt that this feature would be in any current tool, although I think it could be useful. The way I'm thinking, I'd do a site survey, identify everything I could as a known application. Whatever's left would need to be tracked down and either documented as a proper business app or terminated. Once that's done, this tool could produce the "My Environment" list for use in building IDS rulesets and/or continue running as a daily checkpoint for new, unknown/unauthorized traffic. So, does anyone know of a tool or a set of tools that can do this? If not, does anyone else see any value in such a beast? Thanks. Jon ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op,ick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listžort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS provisioning site analysis tool? Williams Jon (Apr 12)
- RE: IDS provisioning site analysis tool? Jerry Shenk (Apr 12)
- Re: IDS provisioning site analysis tool? Martin Roesch (Apr 13)
- <Possible follow-ups>
- RE: IDS provisioning site analysis tool? Williams Jon (Apr 13)
- Re: IDS provisioning site analysis tool? Martin Roesch (Apr 13)