Snort mailing list archives
RE: CEREBUS 1.2 Alert Browser and Data Correlator
From: "Donofrio, Lewis" <donofrio () umich edu>
Date: Tue, 27 Aug 2002 12:05:42 -0400
Ruiu, Thanks for the reply but what is the PATH to the standard .map files that snort uses? --Sorry but I'm having a hard time getting LS in Linux to do the same as DIR /s *.map does in DOS6.22 ______________________________________________________________________ Lewis Donofrio () umich edu College of Literature, Science, & Arts 1007 East Huron, Room 201, BetaID:243340 Cell: (734) 323-8776 Ann Arbor,MI 48104-1690 www.umich.edu/~donofrio Fax: (734) 647-8333
-----Original Message----- From: Dragos Ruiu [mailto:dr () kyx net] Sent: Tuesday, August 27, 2002 4:24 AM To: Donofrio, Lewis; snort-users () lists sourceforge net Subject: Re: [Snort-users] CEREBUS 1.2 Alert Browser and Data Correlator The sid-msg map file comes with snort. It is what Cerebus uses to translate numeric SID numbers to text labels There is also a gen script in the snort distribution if you have added your own rules and SID to the ruleset and want to regen the map file. cheers, --dr On August 27, 2002 02:25 pm, Donofrio, Lewis wrote:Gentle People, Anyone use www.smmothwall.org gpl 0.9.9se around here? Itried to runthis util on my firewall but I cannot locate the .map filerequired?This ISO runs Version 1.8.1-RELEASE (Build 74) and I'vebeen lookingin the \var\logs\snort but none found? --Just wondering.... ---anyone got a php script that will email the ip owner ofATTACKINGmachines? ----I have a vbs script I run for my cheesy blackice service.______________________________________________________________________Lewis Donofrio () umich edu College of Literature,Science, & Arts1007 East Huron, Room 201, BetaID:243340 Cell: (734) 323-8776 Ann Arbor,MI 48104-1690 www.umich.edu/~donofrio Fax:(734) 647-8333-----Original Message----- From: Dragos Ruiu [mailto:dr () dursec com] Sent: Monday, August 26, 2002 10:39 PM To: snort-users () lists sourceforge net Subject: [Snort-users] CEREBUS 1.2 Alert Browser and DataCorrelator//////////////////// // Announcing the release of CEREBUS v1.2 //////////////////// What is CEREBUS? CEREBUS is a text-based full screen alert analysis systemfor Snortunified alert output. It lets you load multiple snortalert filesinto its embedded database system and make real-time queries to quickly delete noise alerts. It is a statically linked standalone binary and does not require you to set up any additional data base software to analyze Snort IDS output. Cerebus is intended for Intrusion Detection Systemanalysts who dealwith a large volume of IDS probe data and alert logs and need to efficiently process these large amounts of data,potentially over aremote connection, or individuals who wish to use theSnort IDS butdo not want to deal with the complexity or installing afull databasemanager for managing and browsing alerts or who desire to make their log analysis time as short and efficient as possible. What it lacks in eye-candy (fancy fonts, gui buttons) it makes up for in raw speed and efficiency of processing alerts andthe abilityrapidly identify small important anomalies in large datasets. Itis also useable over a network link without having toimport thoselarge data sets to your local machine... so if you have alarge fastmachine as your central repository or you want to analyze the data on the probe machine directly you can do all theprocessingthere (Cerebus is also very CPU efficient compared to an SQL database) and still use it from your own desktop - independent of what your desktop machine is - without waiting for a slow web gui to update or a database to run queries. Feed Cerebus Snort unified alert files from/var/log/snort. (Followthe snort config instructions on the first Cerebus screento set upunified output, if you are unfamiliar with this.) Cerebus won't impress your manager with fancy pie charts,but it mayspeed up your alert analysis to let you examine events in detail that would otherwise get ignored. Cerebus will let you hopefully spend less time minding the IDSes and more time enjoying summer. The Lite version is the free non-commercial version intended for smaller environments and individual use. The information below pertains to both the commercial licensed version and the free Lite version. The commercial version features support for more alert input file formats and sources, writing ability to saveedited alertsets/reports, and enhanced multi-source data management. //////////////////// // What's new in this release: //////////////////// -Alert Priority and Classification Display -Sort/Collapse/Removal by Priority and Classification -Collapsing similar alerts (source, dest, alert type etc...) -Statistics modes (in conjunction with collapsing) and Alert counts. -New partial processing for _very_ large alert files. It will deferr processing until you scroll to the data when you choose a collapse mode. The number in parentheses afterthe numberof alert records indicate the number of collapsed records after display collapse. (note the number will change as you scroll through the file and incremental processing happens.) -New high speed mini-curses library. I got tired of futzing with statically compiling curses, I was looking through the code and said, "yuck, look at allthis crap","curses" indeed. Who in this day and age needs ASCIIwindowing andsupport for Morrow InterTube magic cookie terminals? Everything (well almost :-) in the known universe uses the ansi/vt1x0/vt2x0 command set - so I stripped out the gunk for everythingexcept thatin my reimplementation! So you can use anything like an xterm (use a wide one to see all the fields), or a linux/bsd/console, pc terminal program, remote ssh whatever... I'm afraid that if, like me, you have something odd like a wyse terminal you are sol about using this on it :-) By losing all the termlib/terminfo crap and a lot of unused functionality, the low swearing diet plan reduced this libary's waistline by more than 10x and gained noticeable execution speedups. -Fast scrolling. The benefit to reimplementing curses is that I have removed all library dependencies and I even removed stdio and libcroutines. Mynew small fast library makes scrolling much snappier (I can't really tell the difference betwee a p-200 and gig athlon)- and itis now realistic to lean on the page down key and hop-over a few tens of thousands of alerts. The mini-curses library (libcuss? short version of curse? libless? a blessing would be theoppositeof a curse? :-) should also send less characters overallin biggerblocks than normal curses to describe the same screen, so it should still work fine over network ssh'es, or even serial consoles - probably even better than the original curses (since it essentially hasn't been touched since the early 80's and the System V Release 2 version that has propagated in both Linux and BSD.). -Static binaries with no library dependencies. The Linux, FreeBSD, OpenBSD, (and OSX as soon as I upload the recompile to the web servers) versions on the web servers are now there. I'm happy to say that except for open/close, read/write, malloc/free (and ioctl on bsd),this stuffis libc bloat free. These binaries should run on any systems without library futzing. I'm happy with the portabilityof my code:-). -The sparc version is still unavailable because the donated sparcstation doesn't seem to like either video or serial consoles...sigh. -Itanium and Alpha versions of Cerebus will be added to release sets soon with these new portability improvements in this version. (Thanks Chris) //////////////////// // Cool things you can do with Cerebus: //////////////////// -Look at the count statistics for each kind of alert in a set of files? how: 1. Merge the files into the db 2. (S)ort by (A)lert 3. (C)ollapse by (A)lert -Delete all of a certain kind of alert for a singledestination host?how: 1. Merge the files into the db 2. (S)ort by (D)estintaiton (I)P 3. (S)ort by (A)lert 4. (C)ollapse by (D)estination (I)P 5. Move to host/alert pair you want to nuke and delete it using (R)emove (D)estintaion (I)P or (D)elete -Look at the Alert activity by port? how 1. Merge the files into the db 2. (S)ort by (D)estintaiton or (S)ource (P)ort 3. Collapse by the same choice //////////////////// // Cerebus Tutorial: //////////////////// Cerebus is intended to be a paring tool - to cut away uninteresting data and get to the core of security issues. The usual way I use Cerebus is to load in the alert files I want to look at and remove the noise before analyzing anything in detail. The quick way to get rid of data is to collapse it and then delete the collapsed line. In this way usually hundreds of thousands of alerts can be reduced to mere hundreds of lines to looks at in more detail. My usual first step is to get rid of the alert types I don't care about (things like code red on web servers etc..) I usually sort by alert and then collapse by alert to nuke alert types I don't like. Then I usually weed out noisy or often falsing hosts, by sorting on destination ip and port. You can then use port sorting to eliminate some noisy protocols. After I get rid of the noise... I then usually sort bysource andcolapse and start investigating the hosts that have been sending a lot of crap... So far I am pleased to report Cerebus has dramatically decreased the amount of time I have to spend looking over alert files - It lets me manage and analyze volumes of alerts that were previously infeasible to look through for anomalies and interesting data (and would probably have wound up in the bit-bucket without Cerebus). It works best in as large an xterm as you can fit on your screen with small font sizes... because the scrolling is very fast, you can hop over impressive amounts of data rapidly just using page up and page down. You can do corellation by using the differnet sort and collapse modes to delete the data between events of interest and look at multi-machine events side by side. Reloading the same file lets you restore those events that you deleted when examining certain hypotheses... //////////////////// // Cerebus Hints: //////////////////// -In the upper right corner of the screen are indicator toggles for the collapse modes. To toggle a collapse mode <off> just reselect it. -The sort order is a stack. It gets reset whenyou sort by(E)vent -You can see the sort stack indicator in the upper right next to the collapse indicators. -The (E)xpand command will clear all collapsing. All the records will be ungrouped as you page through the data. -If you accidentally deleted some records you canre-merge thefiles you loaded earlier. Cerebus will tell you how many records it restored. It will automatically weed outduplicate eventIDs. -If you are analyzing live files that snort iswriting to,you can re-merge the files to get the new recordsrecently writtenout. -Flipping over alert files daily/weekly seems tobe a niceway to manage datasets. //////////////////// // Cerebus Caveats: //////////////////// -Cerebus is not perfect. It's just zippy. If itcrashes on youyou have either found a bug and you should tell me or you need more memory :-). (It will give a diagnostic in this case) //////////////////// // Where to get cerebus: ////////////////////http://dragos.com/cerebus/cerebus-linux-v1.2 http://dragos.com/cerebus/cerebus-fbsd-v1.2 http://dragos.com/cerebus/cerebus-obsd-v1.2 I hope it saves you some time. Feedback and requests welcome. //////////////////// // Mandatory Commercial Content: //////////////////// -dr is available for ids consulting and analysis and systemprojects.cerebus is available for custom implementationintegration. more toysunder construction. Since Sourcefire hasn't recently beenfarming outany more remote development work now that they have a full team in-house in MD I am actively seeking development and consulting contracts until I get busy with my conference preparations again. cheers, --dr-- dr () kyx net pgp: http://dragos.com/kyxpgp Advance CanSecWest/03 registration available: http://cansecwest.com "The question of whether > computers can think is like the question of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- CEREBUS 1.2 Alert Browser and Data Correlator Dragos Ruiu (Aug 27)
- <Possible follow-ups>
- RE: CEREBUS 1.2 Alert Browser and Data Correlator Donofrio, Lewis (Aug 27)
- Re: CEREBUS 1.2 Alert Browser and Data Correlator Dragos Ruiu (Aug 27)
- RE: CEREBUS 1.2 Alert Browser and Data Correlator Donofrio, Lewis (Aug 27)
- RE: CEREBUS 1.2 Alert Browser and Data Correlator Donofrio, Lewis (Aug 27)
- Re: CEREBUS 1.2 Alert Browser and Data Correlator Michael Boman (Aug 27)
- Re: CEREBUS 1.2 Alert Browser and Data Correlator Dragos Ruiu (Aug 27)
- Re: CEREBUS 1.2 Alert Browser and Data Correlator Michael Boman (Aug 27)
- Re: CEREBUS 1.2 Alert Browser and Data Correlator Michael Boman (Aug 27)
- RE: CEREBUS 1.2 Alert Browser and Data Correlator Donofrio, Lewis (Aug 27)
- Re: CEREBUS 1.2 Alert Browser and Data Correlator Michael Boman (Aug 27)
- Re: CEREBUS 1.2 Alert Browser and Data Correlator Phil Wood (Aug 27)