Re: criticism of snort in articles that I can not remember being explained or rebutted on this list. Device Discovery slash manually configuring snort.

[Erek Adams <erek () theadamsfamily net>]

On Mon, 25 Nov 2002, Jacob, Raymond A Jr wrote:

[...snip...]

> I have seen reviews of IDS products with snort and they all mention that
> snort requires to much manual configuration and tuning. At first, I
> thought there is a reason why you never see "Intrusion Detection for
> Dummies" in the book store because in order to do network intrusion
> detection right you need to know about network security so Dummies need
> not apply. I think most of the people on the list know how to read an ip
> packet and acid gives you enough of an idea to know someone is trying to
> hack into your network.
>
> Then after reading these reviews and all of them saying to me the say
> thing, I had to ask myself what are these criticisms really saying. What
> I understand them to say is that snort can not tell me what to worry
> about in my trusted network and DMZ.

heh...  You've already answered your own question.  ;) "...you need to
know about network security..."  If snort tried to 'automagically' to
config things, things might misconfigured and then you would blame the
snort team, and that would be bad.  :)

>     Before one can effectively monitor a network for intrusion, one must
> be able to eliminate false positives from known devices. At this time as
> far as I know this process is done manually. However, there are tools
> such as cheops or nmap which can determine what hosts are running
> webservers, or pop mail servers, or ftp servers... in your trusted
> network or DMZ.

Keep in mind that those tools don't really tell you what's running.  Those
programs only tell you about open ports, not what the service actually is.
I can run a http server on port 110 if I want, and nmap would report pop3
instead of http.

> Information about services running on particular hosts
> could not only be used to filter events but to raise an alert when the
> IDS recognizes an attack signature destined for a host with that service
> running. The question is: why can not nmap or cheops be used to
> automatically configure HTTP_Servers(?) or create rules and alerts in
> snort for hosts in the DMZ and Trusted Networks with well known
> services?

> From above:  They only know ports and what 'should' be on them.

> When there is a problem and server or workstation is running netbios, I
> ping the ip address and use nbtstat to find the name of the computer. If
> nbtscan could be used to identify computers in order to provide limited
> windows name resolution to the ACID names table, furthermore the
> ACID(MySQL) server could run winbind to populate a machine, user, group
> table in the ACID names table.

Calling an external program from PHP isn't too hard.  You could call the
program, and resolve the NetBIOS info on the fly and/or have it write it
back into the DB.

> One could argue that DNS will replace WINS one day. I don't know if that
> day will come soon.

Err...  I really don't think WINS ever has a chance vs. DNS.  IMHO, DNS
won't ever be replaced by a broken MS protocol.  God, at least I _HOPE_
so!

> The questions here are:
>
> 1. If ntbscan does not use a broadcast mechanism and netbios-dgm(135) is
> allowed to travel within the trusted network, why can't it be create an
> /etc/hosts file to provide name resolution in snort?

Name reolution should never go into snort.  That should be taken care of
by something external so it doesn't slow down the snort process.  You
could script something to do that and have it placed into your ACID box's
hosts file.

> 2. If winbind is run on the ACID(MySQL) server will resolving Windows
> User names put such a burden on the ACID(MySQL) server that it can not
> receive information from snort?

You don't have to have your MySQL box the same as your ACID box.  If you
have a standalone ACID box, it shouldn't be too much effort.  If you have
it all on one box, you might want to test it on a small page before
setting it up in production.  Either way you're setup, you'd want to cache
the data in some fashion.

> ACID has a great schema however the tool is very limiting and does not

[...snip...]

> professional network security analysts. Will acid evolve into this tool?

[I've broken my ACID box, so I can't verify for sure.]

The first report could be generated from the Search section.  Define the
port and the net, run the search, and it should provide what you want.

As for the evolution of ACID, that's one better answered by Roman.  :)

> Conversely, at the low end and for wide deployments where there are no
> professional network security analysts.  One needs what I call a trained
> monkey IDS alert station with christmas tree lights. Basically this
> consists of a table with cells or a tree with branches that turns green,
> yellow, and red depending on the serverity and number of network events.
> The user clicks on a light, a description of the event pops up with the
> source address, the port, and destination network. I don't know what
> type of ids alert tool -i.e. professional or trained monkey- should be
> included in snort. I will tell you that there are many organizations
> that bought earlier versions of ISS and figured it is a GUI so we don't
> need a qualified person to run it. ISS was basically brain dead back
> then - i.e. no packet dumps- so you either went brain dead trying to run
> it or just ignored it.

Nothing that I know of does that 'Out of the Box.'  You could beat
NetCool, Tivoli or OpenView into submission to do that.  There are some
packages that do that, but they are the Intellectual Property of several
MSS companies--So we'll never see them unless someone feels generous.

> Lastly and although this was not mentioned in the reviews, there is a
> big push to combine alerts/denials from all network security devices
> i.e. routers, firewalls, and IDS's. Meaning that at some point in time
> logsnorter may have to become part of the basic snort package.

Yes, there is a push for that.  You could again use something like Netcool
for that.

As for it becoming part of the basic snort package...  I don't really
think it should be.  Snort should snort packets, not datamining and
correlations.  I think that something external such as ACID or Sourcefire
Mangement Console would be better.  That would allow updates to the
induvidual parts, w/o waiting for 'the other one' to be done.

> In conclusion, it is my opinion that commercial customers want no
> brainer solutions because either they don't have or can not afford
> professional network security analysts.

Yep. And that's why those folks keep Security Consultants in business.
;-)

> This is the customer the trade magazine and journals are writing for.
> This means that I hope snort becomes an network detection system
> composed of an engine, management console, and alert station to insulate
> the untrained security analyst while providing the tools that the
> professional analyst needs to be productive.

Snort already has that.  :)

> However, until snort becomes a no brainer the reviews will continue to
> portray snort as the cinderella of IDS's. The problem with bad press is
> that some managers don't know enough to objectively decide on what
> solution is best for the organization and proprietary vendors in their
> sales pitch will say that snort is too difficult to configure and our
> product won an A+ from .... magazine.

I'm real curious as to which articles you were reading.  The ones that
I've seen tend to rate Snort very well.  I haven't seen one bit of bad
press.  But then again, I might be reading the wrong articles! :)


> I appologize for this
> distracting email.

Naaa...  Don't worry about it.  It gave me something to do for 30 minutes.
;-)

> I just get the sense that everyone is so wrapped in the technology that
> we forget that everyone is not like the users on snort-users.

Hrmmmm...  I don't know about being wrapped up in technology, but snort
isn't rocket science.  You just have to understand some key concepts to
use it or to make sense of it.

And as for the users on snort-users, there are quite a few (~3600 last
time I heard) with a range of 'types'.  We've got the "I haven't even
looked at the manual, and I want someone else to do this for me" all the
way up to "I'm the Snort _GOD_!  All show bow down before my _MASSIVE_
Snort FOO!"  :)

> That is why no one asked the question why snort is always reviewed with
> a negative spin, i.e. Snort it is great, but...

Again, I've not read that or heard it.  I'd love to read those negative
articles if you still have links for them.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net




-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users