Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: New Snort Mapping application...looking for feedback

From: "Charles Heselton" <charles.heselton () gmail com>
Date: Tue, 22 Nov 2005 09:08:36 -0800
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Looks like Google Earth + xtraceroute.  I think that the highest
value would be in the trending aspect, you mentioned.  Being able to
track events over a period of time, would be a nice feature.

- --
- - Charlie
 
5A27 58D2 C791 8769 D4A4  F316 7BF8 D1F6 4829 EDCF
 
 In memoriam:  http://www.militarycity.com/valor/1029976.html


 


-----Original Message-----
From: snort-users-admin () lists sourceforge net 
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
Ryan Trost
Sent: Tuesday, November 22, 2005 7:15 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] New Snort Mapping 
application...looking for feedback

Just looking for some feedback from Snort users....

I've created an application that takes the alerts generated 
by Snort and 
extracts them from a MS SQL DB and fairly accurately plots 
them to a visual 
mapping software.  The mapping capabilities allow the user to 
choose between 
{global, continent, country, state, or city and/or street 
depending on 
satellite coverage in that area -- see attachment} levels to help 
identify/monitor packet communications by implementing 
satellite imagery.

The mapping display also has several distinct visual aids to 
help users 
differentiate between priority 1-5 alerts, packet protocol 
(TCP/ICMP/UDP), 
color codes the node depending on the time relation of the 
alert (bold red 
just occurred whereas light red occurred xxx hours ago), 
checks the source 
IP against well known proxy servers, and also gives the 
source local time of 
the attack (a vitial piece of information I rarely see in IDS). 
The  attached screen capture will give you a better idea.  It's an 
older screen 
capture and very specific as it only shows a single alert but 
you get the 
idea.

The product's development stemmed from the fact that tcpdumps 
and alert 
headers are extremely informative to that specific packet.  
But I wanted to 
focus more on the source of the packet...where are they 
geographically 
located?  what time is it there?  is there any kind of group 
attack (now 
that cell phones and broadband are mainstream...attacks can 
be (and are) a 
joint effort)?

I know it sounds a lot like traceroute and IP trace...but 
it's much faster 
and is automated to give the user the ability to monitor
"real-time"  (refresh view every 5 seconds) or give it a date range
(give 
me all alerts 
in the past 30 days) and of course interfaces with our 
favorite IDS -- 
SNORT.

This application is currently nameless (any ideas???) and is 
currently 
running in a windows environment (all you NIX'rs stopping 
boo-ing...I'm 
being forced to use that environment because of work 
restrictions).  I know 
several other proprietary IDSs have this capability but I've 
never come 
across Snort having this capability.  Has anyone else?  (I 
hope not because 
then I just wasted countless hours of work)

Would anybody be interested in this?  Am I way out in left 
field?  I'm 
finishing up the 'standalone' version of it and given a 
decent feedback will 
design an equivalent web app that allows people to upload 
their Snort logs 
and see for themselves.

A side bonus -- in my version of it I've even created a Snort 
rule (thanks 
for the help David) that creates a custom alert when an 
authenticated user 
logs onto the website.  Once they enter in username/password the
rule  triggers the custom alert and plots that person's 
coordinates.  So in theory 
I know geographically where all my users are and can offset 
that with the 
packet alerts to better make packet security conclusions.

If your interested or have a good name....let me know.  
Marty...what do you 
think?

Thanks,
Ryan
BinaryGnome



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQ4NQlHv40fZIKe3PEQKtKwCg2XOx7Tdj/PH/J+eob6DjVrcr2tEAoIeG
bJ3z4TMYkFciUjD/ZU3gMpEc
=N4kA
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: