Snort mailing list archives
RE: New Snort Mapping application...looking for feedback
From: "Charles Heselton" <charles.heselton () gmail com>
Date: Tue, 22 Nov 2005 09:08:36 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Looks like Google Earth + xtraceroute. I think that the highest value would be in the trending aspect, you mentioned. Being able to track events over a period of time, would be a nice feature. - -- - - Charlie 5A27 58D2 C791 8769 D4A4 F316 7BF8 D1F6 4829 EDCF In memoriam: http://www.militarycity.com/valor/1029976.html
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ryan Trost Sent: Tuesday, November 22, 2005 7:15 AM To: snort-users () lists sourceforge net Subject: [Snort-users] New Snort Mapping application...looking for feedback Just looking for some feedback from Snort users.... I've created an application that takes the alerts generated by Snort and extracts them from a MS SQL DB and fairly accurately plots them to a visual mapping software. The mapping capabilities allow the user to choose between {global, continent, country, state, or city and/or street depending on satellite coverage in that area -- see attachment} levels to help identify/monitor packet communications by implementing satellite imagery. The mapping display also has several distinct visual aids to help users differentiate between priority 1-5 alerts, packet protocol (TCP/ICMP/UDP), color codes the node depending on the time relation of the alert (bold red just occurred whereas light red occurred xxx hours ago), checks the source IP against well known proxy servers, and also gives the source local time of the attack (a vitial piece of information I rarely see in IDS). The attached screen capture will give you a better idea. It's an older screen capture and very specific as it only shows a single alert but you get the idea. The product's development stemmed from the fact that tcpdumps and alert headers are extremely informative to that specific packet. But I wanted to focus more on the source of the packet...where are they geographically located? what time is it there? is there any kind of group attack (now that cell phones and broadband are mainstream...attacks can be (and are) a joint effort)? I know it sounds a lot like traceroute and IP trace...but it's much faster and is automated to give the user the ability to monitor "real-time" (refresh view every 5 seconds) or give it a date range (give me all alerts in the past 30 days) and of course interfaces with our favorite IDS -- SNORT. This application is currently nameless (any ideas???) and is currently running in a windows environment (all you NIX'rs stopping boo-ing...I'm being forced to use that environment because of work restrictions). I know several other proprietary IDSs have this capability but I've never come across Snort having this capability. Has anyone else? (I hope not because then I just wasted countless hours of work) Would anybody be interested in this? Am I way out in left field? I'm finishing up the 'standalone' version of it and given a decent feedback will design an equivalent web app that allows people to upload their Snort logs and see for themselves. A side bonus -- in my version of it I've even created a Snort rule (thanks for the help David) that creates a custom alert when an authenticated user logs onto the website. Once they enter in username/password the rule triggers the custom alert and plots that person's coordinates. So in theory I know geographically where all my users are and can offset that with the packet alerts to better make packet security conclusions. If your interested or have a good name....let me know. Marty...what do you think? Thanks, Ryan BinaryGnome
-----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQ4NQlHv40fZIKe3PEQKtKwCg2XOx7Tdj/PH/J+eob6DjVrcr2tEAoIeG bJ3z4TMYkFciUjD/ZU3gMpEc =N4kA -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New Snort Mapping application...looking for feedback Ryan Trost (Nov 22)
- RE: New Snort Mapping application...looking for feedback Charles Heselton (Nov 22)
- Re: New Snort Mapping application...looking for feedback Russ Starr (Nov 22)