Snort mailing list archives
Re: Alert on new IP in use?
From: Daniel Cid <daniel.cid () sourcefire com>
Date: Mon, 01 Aug 2005 18:36:44 -0400
I didn't know about the NBS from Marcus. However, the OSSEC HIDSdoes what I called the "FTS" (First time seem). The idea is very close to the NBS and very useful to avoid false-positives and an excessive number of alerts. Basically, when a new (first time seem) snort event is generated it will increase the "level" (or importance) of this event and generate an alert (mail notification, etc). From my tests, after a few days running the application, most of the snort false positives will go out and you will only get "new" and important stuff.
*The FTS from the OSSEC HIDS also works with ssh, ftp, su and sudo logs (I'm working to add support to other log types). For example, it will notify when the user "xyz" logs for the first time on the server "abc" . It also performs some statistical analysis+rule-based log analysis (in the xml format).
If anyone is interested: http://www.ossec.net/hids/*a new version is comming soon with an integrated and scalable integrity check process.
Daniel Williams Jon wrote:
I realize your question was posted to the snort list, but there is a neat tool called Never Before Seen (NBS) by Marcus Ranum that does this. I worked with it for a while, but got pulled off on other projects so I haven't touched it in a while. Should work well for your application, though. You can find NBS at Marcus' website: http://www.ranum.com/security/computer_security/index.htmlJon-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rich Adamson Sent: Monday, August 01, 2005 8:15 AM To: Snort Users Postings Subject: [Snort-users] Alert on new IP in use? Looking for a way to monitor a small banking network and generate an alert when an unused IP address is observed. The current IP's are not consecutive. Example: we have 26 static IP addresses assigned to workstations and servers. If a 27th (or greater) address appears on the wire, generate an alert. (Note: not very interested in watching MAC addresses as some of the IP's are behind another layer-3 device.) Thoughts? ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert on new IP in use? Rich Adamson (Aug 01)
- Re: Alert on new IP in use? Matt Kettler (Aug 01)
- Re: Alert on new IP in use? Rich Adamson (Aug 01)
- Re: Alert on new IP in use? Matt Kettler (Aug 01)
- Re: Alert on new IP in use? Rich Adamson (Aug 01)
- Re: Alert on new IP in use? James Riden (Aug 01)
- Re: Alert on new IP in use? Jason Benway (Aug 03)
- Re: Alert on new IP in use? James Riden (Aug 03)
- Re: Alert on new IP in use? Jason Benway (Aug 09)
- Re: Alert on new IP in use? Jason Benway (Aug 03)
- Re: Alert on new IP in use? Matt Kettler (Aug 01)
- Re: Alert on new IP in use? Jeff Coppock (Aug 02)
- <Possible follow-ups>
- RE: Alert on new IP in use? Williams Jon (Aug 01)
- Re: Alert on new IP in use? Daniel Cid (Aug 01)
- Re: Alert on new IP in use? Donofrio, Lewis (Aug 04)