AW: OpenSource Alternative to SourceFire's RNA

["Sean Wheeler" <s.wheeler () netprotect ch>]

hi,

Well I would not say that I am creating anything new, infact it's mainly
adding glue to existing opensource tools

I have created a DB schema which will support selective allocation of rules
per host amoungst many other features, but this one more to your point

STAGE 1:
DB schema for IP/MAC/PROTO/PORTS
the host is defined by IP/MAC/OS/OPEN PORTS this data is passively collected
off the network.

Process :
arpwatch -> IP/MAC DB TABLE
nwatch -> OPEN PROTO/PORTS DB TABLE
p0f -> Updates IP/MAC TABLE with OS fingerprint

For control host/port can be manually added or disapproved from the above
tables.

I have the above working reliably already.

STAGE 2:

DB schema for existing signature manipulation and new sig creation

I have this working reliably already

STAGE 3:

DB schema for sig->OS map->App map

I have the schema worked out, presently populating data
First run has been extracting data from my DB static reference, sig's and
sig doc's matching OS to sid etc
(all scripts rip the data directly from the raw snort snapshots, so there is
minimal manual labour here )
obviously adjusting the schema as we go ;)

STAGE 4:

DB schema for snort events, present DB schema is nice, but not scalable and
snort wastes alot of time dealing with menial DB entries
( I have the sig's in the DB already..I don't need snort building another
table of signature/sig_reference/sig_class etc etc etc )

STAGE 5:

Create a frontend to it all.
( presently working purely inside the DB ..lol oh well it's a BIG place in
there ;)


and if you got to the bottom of this long blah blah, my goal is to create an
opensource management platform surrounding snort, not just looking at
events.

regards

Sean

-----Ursprüngliche Nachricht-----
Von: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]Im Auftrag von Josh
Berry
Gesendet: Mittwoch, 31. März 2004 17:39
An: AJ Butcher, Information Systems and Computing
Cc: snort-users () lists sourceforge net
Betreff: Re: [Snort-users] OpenSource Alternative to SourceFire's RNA


I am not looking for correlation, I have already done a great deal of
development on an application that correlates Snort/Nessus/Windows Event
Logs/and working on Firewall logs.  What I want is something that tracks
MAC's across the network, updating information such as current IP address,
operating systems, port being used, and services running on the used
ports.  This information should be collected passively like SourceFire's
RNA or similar to Tenable's NeVo product.

With this kind of information an adaptive security environment could be
created that automatically tunes IDS/VA devices to match the current
threat level for the network environment.

The only way I know of how to do this is to create signatures in Snort
that recognize specific services and Operating Systems, log them in a
format such as CSV and then run a background process that tails the CSV
file and inputs new information into a database, or updates old
information with current changes.

This method however would be a big undertaking as there are thousands of
applications and versions out there.  The most efficient method I can
think of is to classify application types (DB/WWW/FTP/DNS) with common
port listings and assign signatures to the class listings in one big
database.  Once done a script could be created to automatically generate
the signatures.

Thanks

> --On 30 March 2004 09:25 -0600 Josh Berry <josh.berry () netschematics com>
> wrote:
>
> > Is anyone working on OpenSource Alternatives to SourceFire's RNA
> > product?
> > I was thinking about using p0f to dump OS information into a file and
> > then
> > export it to a database but I really would like to gather service level
> > information and eventually passively identify vulnerabilities.  The only
> > ways that I can think of getting any of this kind of information
> > passively
> > is with NTOP or developing signatures for Snort alerting on specific
> > services (Seeing Apache 1.3.29 in an HTTP string), sending that data to
> > a
> > file and then exporting it with another program only updating new
> > entries.
> >
> > At any level it would be a massive undertaking, anyone interested?
>
> OS-Sim <http://www.ossim.net> looks like the way to go; it correlates the
> results of previous Nessus scans with Snort alerts, and bumps the priority
> of alerts appropriately.
>
> Best Regards,
> Alex.
> --
> Alex Butcher: Security & Integrity, Personal Computer Systems Group
> Information Systems and Computing             GPG Key ID: F9B27DC9
> GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9





-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users