Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IDS provisioning site analysis tool?

From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Tue, 13 Apr 2004 09:55:55 -0500
That's all well and good for an installed IDS product, but it sounds to
me as if RNA is both a compensation for a lack of administrator
knowledge and an ongoing false-positive reduction technique.  I think
what I'm looking for is more of a tool to help admins understand what
their environment is prior to deploying IDS.

Most of this is based on my experiences with my current IDS setup.  If I
only relied on the snort.org rulesets, I'd be missing a whole slew of
traffic that, while not hostile from the signature standpoint, is at a
minimum anomalous (i.e. IP addresses that are not our sourcing traffic
that is destined to IP addresses which are also not our, etc.) and at
worst point to serious chinks in our network armor.  We've done a number
of tcpdump experiments, gradually winnowing out stuff that we don't want
to see and it has helped us develop custom rules that are extremely good
at finding these oddities.  I was hoping to find either a tool or enough
people interested in such a tool to get one written.

Jon

-----Original Message-----
From: Martin Roesch [mailto:roesch () sourcefire com] 
Sent: Tuesday, April 13, 2004 9:33 AM
To: Williams Jon
Cc: Snort Users List; Focus-Ids
Subject: Re: [Snort-users] IDS provisioning site analysis tool?

Hi Jon,

I think our RNA product can help you, it performs passive OS
identification, passive service protocol identification (including
vendor and version ID), flow logging, passive vulnerability inference,
target (host) modeling, etc.

To address your "feature list", RNA can do the following things:

- Connection summaries (flow logging/analysis)
- Passive OS & Service fingerprinting including identification of
service vendor/version
- List of services/vendors/versions & host models for rules selection

It doesn't produce automatic rule tuning at this point, I think that
that feature will show up in the future though.

RNA is a commercial product though, so I don't know how that might fit
with budgetary constraints you might have.

One thing you might consider if you *do* have a budget is that
Sourcefire is offering a Snort Agent product now that can transport
event data from open source sensors up to the Sourcefire Management
Console (MC) for analysis/reporting/incident management.  Our version
3.1.2 update for the MC that's coming out this week includes an Impact
Correlator that analyzes events coming from the IDSes against RNA's
network/vulnerability map and can gauge the impact of an event based on
the real-time assessment of your network environment.  This is pretty
cool because it's independent of the arbitrary priority field in Snort
rules that may or may not have any relevance to your actual network.

Anyway, enough marketing foo.  If you want to try to wire something
together with open source parts you could probably do so with a variety
of pieces parts and a bunch of perl, depends on how much time you've
got...

      -Marty

On Apr 12, 2004, at 12:43 PM, Williams Jon wrote:


I've been doing IDS work at one site for several years now and have 
found that a lack of knowledge about what network traffic is supposed 
to exist, one spends the majority of their efforts researching 
non-issues.
Having spent the time on my local network, I've got that understanding



here, but I'm considering locating sensors at other sites where that 
knowledge is lacking.  Over the weekend, I got this wild hair that I'd



like a tool that I could run on the new sensor box prior to kicking up



the IDS.  This tool would do the following things:

- Monitor the network, displaying some form of a summary of 
connections, probably organized by service port
- Passive OS and server fingerprinting to help differentiate Apache on



Linux from IIS on W2K, etc.
- Through a keypress (like "i"), flag a given service to be ignored in



the future and document what it is

Additionally, I think that it might be useful to be able to produce 
some form of output that lists the applications/OSes found for use in 
selecting IDS rules (i.e. use the file with some script that would 
deactivate any snort.org rule for which there isn't a corresponding 
target).  I doubt that this feature would be in any current tool, 
although I think it could be useful.

The way I'm thinking, I'd do a site survey, identify everything I 
could as a known application.  Whatever's left would need to be 
tracked down and either documented as a proper business app or 
terminated.  Once that's done, this tool could produce the "My 
Environment" list for use in building IDS rulesets and/or continue 
running as a daily checkpoint for new, unknown/unauthorized traffic.

So, does anyone know of a tool or a set of tools that can do this?  If



not, does anyone else see any value in such a beast?

Thanks.

Jon



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux 
tutorial presented by Daniel Robbins, President and CEO of GenToo 
technologies. Learn everything from fundamentals to system 
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring roesch () sourcefire com -
http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org






-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: