Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hogger 0.1.3 released

From: Joel Esler <joel.esler () me com>
Date: Tue, 23 Mar 2010 18:03:43 -0400
This product does exist.  It's called "RNA"  http://www.sourcefire.com/products/3D/rna

It's one of our products at Sourcefire, a patented piece of technology that the Sourcefire (Snort) IPS uses to 
real-time configure all of these features inside of Snort.

Joel


On Mar 23, 2010, at 5:56 PM, Edward Bjarte Fjellskål wrote:


Hi,

When I first noticed the host attribute table for about 2 years ago,
I started to fiddle on the idea on how to populate it automagically(tm).

The "limitation" on nmap, is that it would need to scan 65535 times two
ports on each hosts to see the whole picture of what services are running.
Also, if you scan a OK sized network, it takes time, and when you are finished,
you should start over to see if there is a diff :) (new services might be
popping up...)

I was also doing consultancy for a customer, where the requirements where
to map the network non intrusive, for configuring an IDS as best as possible.
(read: dont portscan the environment)

I started to draft a solution back then, implemented it in perl, where speed
sucked, and rewritten it in C. It has been a long journey, and I now see that
there are other tools out there that does something like this for you,
but most are commercial, and only one is for Snort. Also I have learned a lot,
which I find amusing :)

The upside in all this, is that PRADS also can see client side traffic,
meaning it knows what browser the hosts uses etc. which is something that
nmap never can find out. I remember somewhere in the Snort doc saying 
something about such features might be useful in the future :)
It will also see hosts and services, in the moment they start to talk
on the network, hence "R" for real-time :)

Anyway, I (and others) have made PRADS which its main
purpose was to populate the host attribute table for snort :)
which is something that it does today. Detection is mainly based
on the fine work of Michal Zalewski (p0f) and Matt Shelton (PADS).
We have taken the two tools one step further and also focused on 
performance, since my main goal was to run it side by side to snort.

The main work is done, but PRADS can benefit from signature contributions
and testers :) At the moment, we are compatible with p0f signatures and
PADS signatures (so if you have a personal repo of such, my inbox is open :) )

Hopefully there can be some synergy between nmap+hogger and PRADS in the
future.

E

----- Original Message -----
Fra: "Shawn Jefferson" <Shawn.Jefferson () bcferries com>
Til: "Joel Esler" <joel.esler () me com>, "Andy Berryman" <aberryman () cymtec com>
Kopi: "Parker Crook" <Parker_Crook () reyrey com>, snort-users () lists sourceforge net
Sendt: 23. mars 2010 18:01:42
Emne: Re: [Snort-users] Hogger 0.1.3 released

Is there any downside to using it?

-- 
Edward Bjarte Fjellskål
Senior Security Analyst
Redpill Linpro AS


--
Joel Esler
http://blog.joelesler.net



------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: