Snort mailing list archives
Re: squil
From: Richard Bejtlich <richard_bejtlich () yahoo com>
Date: Thu, 7 Aug 2003 07:51:35 -0700 (PDT)
Tim,
We Sguil-ers are always happy to see people experience
the joys of network security monitoring (NSM), not
"IDS", first-hand. Collecting data via log_packets.sh
isn't a bug -- it's a feature. :) I would prefer to
have tcpdump do the collection, but Snort's built-in
packet log naming and responsiveness to HUP signals
are too convenient at this point.
Two main points:
1. Why NSM and not IDS? 30 seconds on theory -- NSM
incorporates four types of data: event, session, full
content, and statistical. IDS is traditionally only
event data ("port scan", "NIMDA attack", "root login",
etc.) This is based on a detection-oriented goal
which is what customers generally want. However, as
IDS represents necessary design trade-offs,
opportunities for evasion exist. How do you detect,
scope, and respond to an incident that triggers no
signature, rule, threshold, anomaly? With NSM, you
turn to your session, full content, and statistical
data -- perhaps after the incident occurs. Let's be
realistic. A lot of incidents aren't seen by IDS, but
are detected elsewhere -- by customers, users, and sys
admins. Once the analyst has SOME lead, whether
IDS-generated or not, NSM really comes into play to
quickly scope and respond to an intrusion.
2. I prefer separate code to collect data on for each
type of NSM data. For example:
a. event: Snort
b. session: argus (Sguil uses stream4's "keepstats")
c. full content: tcpdump (Sguil uses a 2nd instance
of Snort)
d. statistical: ntop? (this is an area for
"opportunities," as Sguil doesn't offer this yet)
For several years we have also collected data using
passive fingerprint (p0f), but I don't think Sguil
includes that functionality now.
Separate code helps the NSM platform be more resilient
to attack. If another Snort bug is found and
exploited, argus, tcpdump, etc. keep working. If
tcpdump is exploited again, hopefully Snort, argus,
etc. keep working, and so on. At some point in the
future I would like Sguil to offer the user different
options on how to collect event, session, full
content, and statistical data.
If anyone cares I'm working on slides for a 21 Aug
webcast on this
(http://searchsecurity.techtarget.com/webcasts/0,289675,sid14,00.html),
a sequel to a webcast Bamm and I did in Dec 02
(http://taosecurity.com/press.html). I also have a
book proposal to Addison Wesley on this, but I already
have a contract with AW for a forensics book with part
of the the Anti-Hacker Toolkit book team.
Thanks again for your interest in Sguil! We are ever
so beta at this point but Bamm and the other coders
are working as best they can to make Sguil easier to
install and use. We appreciate all of the people who
are submitting their experiences, especially involving
installation. We welcome any help the community would
like to provide.
Sincerely,
Richard Bejtlich
richard at taosecurity dot com
http://taosecurity.com
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users