Snort mailing list archives

Re: OpenSource Alternative to SourceFire's RNA

From: "AJ Butcher, Information Systems and Computing" <Alex.Butcher () bristol ac uk>
Date: Thu, 01 Apr 2004 10:42:20 +0100

--On 31 March 2004 09:39 -0600 Josh Berry <josh.berry () netschematics com>wrote:

I am not looking for correlation, I have already done a great deal of
development on an application that correlates Snort/Nessus/Windows Event
Logs/and working on Firewall logs.  What I want is something that tracks
MAC's across the network, updating information such as current IP address,
operating systems, port being used, and services running on the used
ports.  This information should be collected passively like SourceFire's
RNA or similar to Tenable's NeVo product.

Ossim also integrates with ntop, p0f and arpwatch (arpwatch needs a smallpatch to allow it to listen on interfaces without any IPv4 address). Youcan also assign values to assets which it uses to calculatemost-at-risk/most-likely-to-be-compromised hosts.


With this kind of information an adaptive security environment could be
created that automatically tunes IDS/VA devices to match the current
threat level for the network environment.

The only way I know of how to do this is to create signatures in Snort
that recognize specific services and Operating Systems, log them in a
format such as CSV and then run a background process that tails the CSV
file and inputs new information into a database, or updates old
information with current changes.

This method however would be a big undertaking as there are thousands of
applications and versions out there.  The most efficient method I can
think of is to classify application types (DB/WWW/FTP/DNS) with common
port listings and assign signatures to the class listings in one big
database.  Once done a script could be created to automatically generate
the signatures.


As far as I can see, this is exactly the direction ossim is heading.

Thanks


Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: OpenSource Alternative to SourceFire's RNA AJ Butcher, Information Systems and Computing (Apr 01)
- <Possible follow-ups>
- Re: OpenSource Alternative to SourceFire's RNA Andy Cuff (Apr 05)