Snort mailing list archives
Snort reports, PureSecure
From: Jari Pirhonen <lists () atbusiness com>
Date: Fri, 24 May 2002 11:34:48 +0300
I just emailed the following message to PureSecure regarding it's reporting features. I'd like to hear your comments and suggestions also.
----- Original Message ----- From: "Patrick Meadows" <patrickm () demarc com> To: "Simo Salonen" <simo.salonen () atbusiness com>; <support () demarc com> Sent: Wednesday, May 08, 2002 10:38 PM Subject: Re:As for reporting, an advanced reporting sub-system is one of the targets for the next version of PureSecure, but that is still a while away. Please feel free to sent suggestions on what you would like to see in that regards to suggest () demarc com so that we can make sure and tailor the system to what people really want and need.
Hi, I throw in some comments regarding the IDS reporting. I have been running Shadow from 1998 and now we have had both Shadow and Snort (with PureSecure) running a some time already. Two most urgent reports we would like to get out of the Snort. - Daily email summary. We want several persons to check each morning what has happened during last day and night and the report should not be too detailed. Scans, port, attacking IPs, etc. Idea is that esponsible person would be able to see very quickly if anything abnormal has happened (like lots of SQL Server scans which we haven't seen before:-) - Information about portscans: what port have been scanned, by who and when. Currently Snort doesn't show portscans very well. this information should be included in the daily report. Something like 194.162.242.145 scanned 156 nodes for port 22 scanned 200 nodes for port 21 In addition I'd like to see: - good weekly, monthly, yearly summaries - graphs, possibility to export data to Excel - answers to questions like: "how many portscans we had last week, to what port, from what IPs?" "what IPs has been most active?" "what ports/attacks has been most popular?" "what are the most popular targets?" "how are this weeks attacks compared to previous week, moth, year?" "what are new attacks, not seen before?" "scans/attacks summaries grouped by ports, attack sig, IPs,..." etc, etc,...I guess you got the picture? I attached couple of example gif-files about port scanning trends which I'd like to see generated automatically. This probably requires that some summary data is stored separately from the Snorts day-to-day data? I'm still learning the finest features of Snort and PureSecure and some of my wishes may be doable already. However, I'll see a big difference with reporting and information digging. It would be optimal, if we could trust daily reports and alarms and go to deeper database digging only when something bad is really happening. Some customers may even want "reports" twice a day or hourly. Good IDS interface should first give me an alarm "something weird is going on". Then it should be able to answer (in the format of the report maybe) to my question: "what the heck is going on - should I worry" and if I decide that it's worth it I would go to "data mining interface" to see detailed data. Of course I would also like to see reports I could send to admins of the attacker's network. I'll send this message to Snort mailing-list also in hope to see if some of my wishes are doable already or if some new reporting tool is cooking somewhere... regards, Jari Pirhonen AtBusiness Communications -- Jari.Pirhonen () atbusiness com -- http://www.iki.fi/japi/ -- 6B6A 0E36 903D 25ED 73BE D558 E35F 267A F578 E811 (PGP) -- "All work and no play makes Jack a dull boy"
Current thread:
- Snort reports, PureSecure Jari Pirhonen (May 24)