Snort mailing list archives
Re: squil
From: Richard Bejtlich <richard_bejtlich () yahoo com>
Date: Thu, 7 Aug 2003 07:51:35 -0700 (PDT)
Tim, We Sguil-ers are always happy to see people experience the joys of network security monitoring (NSM), not "IDS", first-hand. Collecting data via log_packets.sh isn't a bug -- it's a feature. :) I would prefer to have tcpdump do the collection, but Snort's built-in packet log naming and responsiveness to HUP signals are too convenient at this point. Two main points: 1. Why NSM and not IDS? 30 seconds on theory -- NSM incorporates four types of data: event, session, full content, and statistical. IDS is traditionally only event data ("port scan", "NIMDA attack", "root login", etc.) This is based on a detection-oriented goal which is what customers generally want. However, as IDS represents necessary design trade-offs, opportunities for evasion exist. How do you detect, scope, and respond to an incident that triggers no signature, rule, threshold, anomaly? With NSM, you turn to your session, full content, and statistical data -- perhaps after the incident occurs. Let's be realistic. A lot of incidents aren't seen by IDS, but are detected elsewhere -- by customers, users, and sys admins. Once the analyst has SOME lead, whether IDS-generated or not, NSM really comes into play to quickly scope and respond to an intrusion. 2. I prefer separate code to collect data on for each type of NSM data. For example: a. event: Snort b. session: argus (Sguil uses stream4's "keepstats") c. full content: tcpdump (Sguil uses a 2nd instance of Snort) d. statistical: ntop? (this is an area for "opportunities," as Sguil doesn't offer this yet) For several years we have also collected data using passive fingerprint (p0f), but I don't think Sguil includes that functionality now. Separate code helps the NSM platform be more resilient to attack. If another Snort bug is found and exploited, argus, tcpdump, etc. keep working. If tcpdump is exploited again, hopefully Snort, argus, etc. keep working, and so on. At some point in the future I would like Sguil to offer the user different options on how to collect event, session, full content, and statistical data. If anyone cares I'm working on slides for a 21 Aug webcast on this (http://searchsecurity.techtarget.com/webcasts/0,289675,sid14,00.html), a sequel to a webcast Bamm and I did in Dec 02 (http://taosecurity.com/press.html). I also have a book proposal to Addison Wesley on this, but I already have a contract with AW for a forensics book with part of the the Anti-Hacker Toolkit book team. Thanks again for your interest in Sguil! We are ever so beta at this point but Bamm and the other coders are working as best they can to make Sguil easier to install and use. We appreciate all of the people who are submitting their experiences, especially involving installation. We welcome any help the community would like to provide. Sincerely, Richard Bejtlich richard at taosecurity dot com http://taosecurity.com __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users