Re: Tcpdump, alerts and portscans

[Martin Roesch <roesch () sourcefire com>]

Look at the spo_unified plugin, that may have some of the answers you're
looking for.  Pretty soon (ver 1.8) you'll have a binary definition file
for Snort logs and alerts that allow you to move the information for
portscans around more easily for importation into something like
ACID/external logging systems.

I'll explain more in depth when I get a little free time (or when 1.8
ships).

    -Marty

Jason Lewis wrote:
> Actually that is what I want to do.
>
> I am the middle of writing a paper on configuring multiple sensors with a
> central console box.  The sensors are logging in tcpdump format and the
> master console pulls that info from the sensors and replays it through
> snort.  The master console is running ACID and all the sensor data is stored
> in the db.  This removes any extra load on the sensors and the master
> console is dedicated to crunching data.
>
> I have successfully done the replay but the portscan info isn't showing up.
> It isn't that important to me, but I know I will get questions.  So, I am
> looking for an alternative way of getting portscan info into ACID.  I don't
> like the other methods of consolidating sensor data.  I think tcpdump is the
> way to go, the portscan stuff is a detail.
>
> I can't believe I am the first to have this problem.
>
> Jason Lewis
> http://www.packetnexus.com
> It's not secure "Because they told me it was secure".
> The people at the other end of the link know less
> about security than you do. And that's scary.
>
> -----Original Message-----
> From: Erik Fichtner [mailto:emf () servervault com]
> Sent: Monday, June 25, 2001 5:21 PM
> To: Jason Lewis
> Cc: snort-users () lists sourceforge net; 'Phil Wood'
> Subject: Re: [Snort-users] Tcpdump, alerts and portscans
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, Jun 25, 2001 at 05:02:13PM -0400, Jason Lewis wrote:
> > Hmmmm.......  Well how about something that does analysis on the tcpdump
> > file to detect portscans?  Maybe even something to correlate data once it
> is
> > in ACID?
>
> Uh.. I don't think you want to do that.  You'd have to basically capture all
> your network traffic and stash it in the db and then have tools grovelling
> over it... you'd never catch up..  (Hmm. sounds like WebTr***s...)
>
> - --
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> 703-333-5900
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7N6seQ7EzrewLMS0RAlXGAKDNYYIUSB3jcwE+35afId/GsKHBAACfQHUI
> 6zH4iQ9Pv/JVJEWjNFCpCKw=
> =T0Bz
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users