Snort mailing list archives
Re: IDS provisioning site analysis tool?
From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 13 Apr 2004 10:33:25 -0400
Hi Jon,I think our RNA product can help you, it performs passive OS identification, passive service protocol identification (including vendor and version ID), flow logging, passive vulnerability inference, target (host) modeling, etc.
To address your "feature list", RNA can do the following things: - Connection summaries (flow logging/analysis)- Passive OS & Service fingerprinting including identification of service vendor/version
- List of services/vendors/versions & host models for rules selectionIt doesn't produce automatic rule tuning at this point, I think that that feature will show up in the future though.
RNA is a commercial product though, so I don't know how that might fit with budgetary constraints you might have.
One thing you might consider if you *do* have a budget is that Sourcefire is offering a Snort Agent product now that can transport event data from open source sensors up to the Sourcefire Management Console (MC) for analysis/reporting/incident management. Our version 3.1.2 update for the MC that's coming out this week includes an Impact Correlator that analyzes events coming from the IDSes against RNA's network/vulnerability map and can gauge the impact of an event based on the real-time assessment of your network environment. This is pretty cool because it's independent of the arbitrary priority field in Snort rules that may or may not have any relevance to your actual network.
Anyway, enough marketing foo. If you want to try to wire something together with open source parts you could probably do so with a variety of pieces parts and a bunch of perl, depends on how much time you've got...
-Marty On Apr 12, 2004, at 12:43 PM, Williams Jon wrote:
I've been doing IDS work at one site for several years now and havefound that a lack of knowledge about what network traffic is supposed toexist, one spends the majority of their efforts researching non-issues. Having spent the time on my local network, I've got that understanding here, but I'm considering locating sensors at other sites where that knowledge is lacking. Over the weekend, I got this wild hair that I'd like a tool that I could run on the new sensor box prior to kicking up the IDS. This tool would do the following things:- Monitor the network, displaying some form of a summary of connections,probably organized by service port - Passive OS and server fingerprinting to help differentiate Apache on Linux from IIS on W2K, etc. - Through a keypress (like "i"), flag a given service to be ignored in the future and document what it isAdditionally, I think that it might be useful to be able to produce someform of output that lists the applications/OSes found for use in selecting IDS rules (i.e. use the file with some script that would deactivate any snort.org rule for which there isn't a corresponding target). I doubt that this feature would be in any current tool, although I think it could be useful. The way I'm thinking, I'd do a site survey, identify everything I could as a known application. Whatever's left would need to be tracked down and either documented as a proper business app or terminated. Once that's done, this tool could produce the "My Environment" list for use in building IDS rulesets and/or continue running as a daily checkpoint for new, unknown/unauthorized traffic. So, does anyone know of a tool or a set of tools that can do this? If not, does anyone else see any value in such a beast? Thanks. Jon ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS provisioning site analysis tool? Williams Jon (Apr 12)
- RE: IDS provisioning site analysis tool? Jerry Shenk (Apr 12)
- Re: IDS provisioning site analysis tool? Martin Roesch (Apr 13)
- <Possible follow-ups>
- RE: IDS provisioning site analysis tool? Williams Jon (Apr 13)
- Re: IDS provisioning site analysis tool? Martin Roesch (Apr 13)