Snort mailing list archives
Re: Cisco IDS
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 20 Jan 2005 13:37:16 +1300
Bamm Visscher wrote:
So true! I gave a SANS@Night presentation at the SANS Network Security 2004 on our company's rollout of Snort over our world-wide network. We mainly use it for monitoring our WAN links these days.I like what Marty and crew is doing with RNA too. Check out pads [3] for a poor man's implementation. Passive OS and application detection (pads calls it passive asset detection) can help put an alert into context. Context is a huge piece of analysis, but often an afterthought and/or not included with most commercial implementations.
One of the main points I tried to make was that getting an alert that says "IP 192.168.3.4 appears to be exploiting the DCOM vuln on 1.6.4.5" doesn't mean much when:
a> the IS recipient doesn't know what COUNTRY 192.168.3.4 is in (Trimble has sites in in >20 countries, and IS staff don't know that sort of information off the tops of their heads) b> the recipient doesn't know details about 192.168.3.4 (like it's hostname. Has anyone managed to get Active Directory DDNS working anywhere approaching reliably?) c> the recipient doesn't know who owns that machine, or what business group/etc it's owned by
Technical solutions are great - but "a" can only be answered by knowledge of the network infrastructure (i.e. the Networking Group), "b" by the Windows group and "c" by Asset Tracking.
I've written our Alerting system to take the "raw" events out of snort (and other sources) and merge them with "a", "b" and "c" that I wrote hooks into, so that we now get alerts like "Windows host FRANKY (192.168.3.4) in the Paris office (owner: Franky Valley, Marketing) appears to be exploiting the DCOM vuln on MARGE". Much more useful :-)
Now I'm waiting for commercial products to offer the same: *integration* with existing databases. I don't want yet-another-copy-of-sixteen-databases-you'll-have-to-keep-in-sync-via-our-bl**dy-JAVA-app - I want *integration*.
</rant> :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Cisco IDS, (continued)
- Message not available
- Re: Cisco IDS Will Metcalf (Jan 17)
- Re: Cisco IDS M. Shirk (Jan 19)
- Re: Cisco IDS Alex Butcher, ISC/ISYS (Jan 19)
- Re: Cisco IDS sp0ng3b0b (Jan 27)
- Re: Cisco IDS Dave Breiland (Jan 27)
- RE: Cisco IDS Theodore Stout (Jan 18)
- RE: Cisco IDS Alex Butcher, ISC/ISYS (Jan 19)
- Re: Cisco IDS Bamm Visscher (Jan 19)
- Re: Cisco IDS Jason Haar (Jan 20)
- RE: Cisco IDS Alex Butcher, ISC/ISYS (Jan 19)
- RE: Cisco IDS Joe Patterson (Jan 19)
- RE: Cisco IDS Alex Butcher, ISC/ISYS (Jan 20)