New Snort Mapping application...looking for feedback

["Ryan Trost" <trostycp () hotmail com>]

Just looking for some feedback from Snort users....

I've created an application that takes the alerts generated by Snort and 
extracts them from a MS SQL DB and fairly accurately plots them to a visual 
mapping software.  The mapping capabilities allow the user to choose between 
{global, continent, country, state, or city and/or street depending on 
satellite coverage in that area -- see attachment} levels to help 
identify/monitor packet communications by implementing satellite imagery.

The mapping display also has several distinct visual aids to help users 
differentiate between priority 1-5 alerts, packet protocol (TCP/ICMP/UDP), 
color codes the node depending on the time relation of the alert (bold red 
just occurred whereas light red occurred xxx hours ago), checks the source 
IP against well known proxy servers, and also gives the source local time of 
the attack (a vitial piece of information I rarely see in IDS).  The 
attached screen capture will give you a better idea.  It's an older screen 
capture and very specific as it only shows a single alert but you get the 
idea.

The product's development stemmed from the fact that tcpdumps and alert 
headers are extremely informative to that specific packet.  But I wanted to 
focus more on the source of the packet...where are they geographically 
located?  what time is it there?  is there any kind of group attack (now 
that cell phones and broadband are mainstream...attacks can be (and are) a 
joint effort)?

I know it sounds a lot like traceroute and IP trace...but it's much faster 
and is automated to give the user the ability to monitor "real-time" 
(refresh view every 5 seconds) or give it a date range (give me all alerts 
in the past 30 days) and of course interfaces with our favorite IDS -- 
SNORT.

This application is currently nameless (any ideas???) and is currently 
running in a windows environment (all you NIX'rs stopping boo-ing...I'm 
being forced to use that environment because of work restrictions).  I know 
several other proprietary IDSs have this capability but I've never come 
across Snort having this capability.  Has anyone else?  (I hope not because 
then I just wasted countless hours of work)

Would anybody be interested in this?  Am I way out in left field?  I'm 
finishing up the 'standalone' version of it and given a decent feedback will 
design an equivalent web app that allows people to upload their Snort logs 
and see for themselves.

A side bonus -- in my version of it I've even created a Snort rule (thanks 
for the help David) that creates a custom alert when an authenticated user 
logs onto the website.  Once they enter in username/password the rule 
triggers the custom alert and plots that person's coordinates.  So in theory 
I know geographically where all my users are and can offset that with the 
packet alerts to better make packet security conclusions.

If your interested or have a good name....let me know.  Marty...what do you 
think?

Thanks,
Ryan
BinaryGnome