Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New Snort Mapping application...looking for feedback

From: Russ Starr <russ.starr () gmail com>
Date: Tue, 22 Nov 2005 10:53:13 -0600
That looks fun... How about GeoSnort for a name?

-Russ

On 11/22/05, Ryan Trost <trostycp () hotmail com> wrote:

Just looking for some feedback from Snort users....

I've created an application that takes the alerts generated by Snort and
extracts them from a MS SQL DB and fairly accurately plots them to a visual
mapping software.  The mapping capabilities allow the user to choose between
{global, continent, country, state, or city and/or street depending on
satellite coverage in that area -- see attachment} levels to help
identify/monitor packet communications by implementing satellite imagery.

The mapping display also has several distinct visual aids to help users
differentiate between priority 1-5 alerts, packet protocol (TCP/ICMP/UDP),
color codes the node depending on the time relation of the alert (bold red
just occurred whereas light red occurred xxx hours ago), checks the source
IP against well known proxy servers, and also gives the source local time of
the attack (a vitial piece of information I rarely see in IDS).  The
attached screen capture will give you a better idea.  It's an older screen
capture and very specific as it only shows a single alert but you get the
idea.

The product's development stemmed from the fact that tcpdumps and alert
headers are extremely informative to that specific packet.  But I wanted to
focus more on the source of the packet...where are they geographically
located?  what time is it there?  is there any kind of group attack (now
that cell phones and broadband are mainstream...attacks can be (and are) a
joint effort)?

I know it sounds a lot like traceroute and IP trace...but it's much faster
and is automated to give the user the ability to monitor "real-time"
(refresh view every 5 seconds) or give it a date range (give me all alerts
in the past 30 days) and of course interfaces with our favorite IDS --
SNORT.

This application is currently nameless (any ideas???) and is currently
running in a windows environment (all you NIX'rs stopping boo-ing...I'm
being forced to use that environment because of work restrictions).  I know
several other proprietary IDSs have this capability but I've never come
across Snort having this capability.  Has anyone else?  (I hope not because
then I just wasted countless hours of work)

Would anybody be interested in this?  Am I way out in left field?  I'm
finishing up the 'standalone' version of it and given a decent feedback will
design an equivalent web app that allows people to upload their Snort logs
and see for themselves.

A side bonus -- in my version of it I've even created a Snort rule (thanks
for the help David) that creates a custom alert when an authenticated user
logs onto the website.  Once they enter in username/password the rule
triggers the custom alert and plots that person's coordinates.  So in theory
I know geographically where all my users are and can offset that with the
packet alerts to better make packet security conclusions.

If your interested or have a good name....let me know.  Marty...what do you
think?

Thanks,
Ryan
BinaryGnome







-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: