Snort mailing list archives

Re: Alert on new IP in use?

From: Daniel Cid <daniel.cid () sourcefire com>
Date: Mon, 01 Aug 2005 18:36:44 -0400

I didn't know about the NBS from Marcus. However, the OSSEC HIDS

does what I called the "FTS" (First time seem). The idea is very closeto the NBS and very useful to avoid false-positives and an excessivenumber of alerts. Basically, when a new (first time seem) snort eventis generated it will increase the "level" (or importance) of this eventand generate an alert (mail notification, etc). From my tests, after afew days running the application, most of the snort false positives willgo out and you will only get "new" and important stuff.

*The FTS from the OSSEC HIDS also works with ssh, ftp, su and sudo logs(I'm working to add support to other log types). For example, itwill notify when the user "xyz" logs for the first time on the server"abc" . It also performs some statistical analysis+rule-based loganalysis (in the xml format).


If anyone is interested: http://www.ossec.net/hids/

*a new version is comming soon with an integrated and scalable integritycheck process.


Daniel

Williams Jon wrote:

I realize your question was posted to the snort list, but there is a
neat tool called Never Before Seen (NBS) by Marcus Ranum that does this.
I worked with it for a while, but got pulled off on other projects so I
haven't touched it in a while.  Should work well for your application,
though.

You can find NBS at Marcus' website:

http://www.ranum.com/security/computer_security/index.html

Jon

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rich
Adamson
Sent: Monday, August 01, 2005 8:15 AM
To: Snort Users Postings
Subject: [Snort-users] Alert on new IP in use?


Looking for a way to monitor a small banking network and generate an
alert when an unused IP address is observed. The current IP's are not
consecutive.

Example: we have 26 static IP addresses assigned to workstations and
servers. If a 27th (or greater) address appears on the wire, generate an
alert. (Note: not very interested in watching MAC addresses as some of
the IP's are behind another layer-3 device.)

Thoughts?




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Alert on new IP in use? Rich Adamson (Aug 01)
- Re: Alert on new IP in use? Matt Kettler (Aug 01)
  - Re: Alert on new IP in use? Rich Adamson (Aug 01)
    - Re: Alert on new IP in use? Matt Kettler (Aug 01)
- Re: Alert on new IP in use? James Riden (Aug 01)
  - Re: Alert on new IP in use? Jason Benway (Aug 03)
    - Re: Alert on new IP in use? James Riden (Aug 03)
    - Re: Alert on new IP in use? Jason Benway (Aug 09)
- Re: Alert on new IP in use? Jeff Coppock (Aug 02)
- <Possible follow-ups>
- RE: Alert on new IP in use? Williams Jon (Aug 01)
  - Re: Alert on new IP in use? Daniel Cid (Aug 01)
- Re: Alert on new IP in use? Donofrio, Lewis (Aug 04)