Snort reports, PureSecure

[Jari Pirhonen <lists () atbusiness com>]

I just emailed the following message to PureSecure regarding it's
reporting features. I'd like to hear your comments and suggestions also.


> ----- Original Message -----
> From: "Patrick Meadows" <patrickm () demarc com>
> To: "Simo Salonen" <simo.salonen () atbusiness com>; <support () demarc com>
> Sent: Wednesday, May 08, 2002 10:38 PM
> Subject: Re:
>
> > As for reporting,  an advanced reporting sub-system is one of the targets
> > for the next version of PureSecure, but that is still a while away.  Please
> > feel free to sent suggestions on what you would like to see in that regards
> > to suggest () demarc com so that we can make sure and tailor the system to
> > what people really want and need.


Hi,

I throw in some comments regarding the IDS reporting. I have been
running Shadow from 1998 and now we have had both Shadow and Snort (with
PureSecure) running a some time already.

Two most urgent reports we would like to get out of the Snort.
- Daily email summary. We want several persons to check each morning
what has happened during last day and night and the report should not be
too detailed. Scans, port, attacking IPs, etc. Idea is that esponsible
person would be able to see very quickly if anything abnormal has
happened (like lots of SQL Server scans which we haven't seen before:-)
- Information about portscans: what port have been scanned, by who and
when. Currently Snort doesn't show portscans very well. this information
should be included in the daily report.

Something like

194.162.242.145
scanned 156 nodes for port 22
scanned 200 nodes for port 21

In addition I'd like to see:
- good weekly, monthly, yearly summaries
- graphs, possibility to export data to Excel
- answers to questions like:
"how many portscans we had last week, to what port, from what IPs?"
"what IPs has been most active?"
"what ports/attacks has been most popular?"
"what are the most popular targets?"
"how are this weeks attacks compared to previous week, moth, year?"
"what are new attacks, not seen before?"
"scans/attacks summaries grouped by ports, attack sig, IPs,..."
etc, etc,...I guess you got the picture?

I attached couple of example gif-files about port scanning trends which
I'd like to see generated automatically. This probably requires that
some summary data is stored separately from the Snorts day-to-day data?

I'm still learning the finest features of Snort and PureSecure and some
of my wishes may be doable already. However, I'll see a big difference
with reporting and information digging. It would be optimal, if we could
trust daily reports and alarms and go to deeper database digging only
when something bad is really happening. Some customers may even want
"reports" twice a day or hourly.

Good IDS interface should first give me an alarm "something weird is
going on". Then it should be able to answer (in the format of the report
maybe) to my question: "what the heck is going on - should I worry" and
if I decide that it's worth it I would go to "data mining interface" to
see detailed data.

Of course I would also like to see reports I could send to admins of the
attacker's network.

I'll send this message to Snort mailing-list also in hope to see if some
of my wishes are doable already or if some new reporting tool is cooking
somewhere...

regards,
Jari Pirhonen
AtBusiness Communications

-- Jari.Pirhonen () atbusiness com
-- http://www.iki.fi/japi/ 
-- 6B6A 0E36 903D 25ED 73BE  D558 E35F 267A F578 E811 (PGP)
-- "All work and no play makes Jack a dull boy"