Snort mailing list archives
Re: Hogger 0.1.3 released
From: Joel Esler <joel.esler () me com>
Date: Tue, 23 Mar 2010 18:03:43 -0400
This product does exist. It's called "RNA" http://www.sourcefire.com/products/3D/rna It's one of our products at Sourcefire, a patented piece of technology that the Sourcefire (Snort) IPS uses to real-time configure all of these features inside of Snort. Joel On Mar 23, 2010, at 5:56 PM, Edward Bjarte Fjellskål wrote:
Hi, When I first noticed the host attribute table for about 2 years ago, I started to fiddle on the idea on how to populate it automagically(tm). The "limitation" on nmap, is that it would need to scan 65535 times two ports on each hosts to see the whole picture of what services are running. Also, if you scan a OK sized network, it takes time, and when you are finished, you should start over to see if there is a diff :) (new services might be popping up...) I was also doing consultancy for a customer, where the requirements where to map the network non intrusive, for configuring an IDS as best as possible. (read: dont portscan the environment) I started to draft a solution back then, implemented it in perl, where speed sucked, and rewritten it in C. It has been a long journey, and I now see that there are other tools out there that does something like this for you, but most are commercial, and only one is for Snort. Also I have learned a lot, which I find amusing :) The upside in all this, is that PRADS also can see client side traffic, meaning it knows what browser the hosts uses etc. which is something that nmap never can find out. I remember somewhere in the Snort doc saying something about such features might be useful in the future :) It will also see hosts and services, in the moment they start to talk on the network, hence "R" for real-time :) Anyway, I (and others) have made PRADS which its main purpose was to populate the host attribute table for snort :) which is something that it does today. Detection is mainly based on the fine work of Michal Zalewski (p0f) and Matt Shelton (PADS). We have taken the two tools one step further and also focused on performance, since my main goal was to run it side by side to snort. The main work is done, but PRADS can benefit from signature contributions and testers :) At the moment, we are compatible with p0f signatures and PADS signatures (so if you have a personal repo of such, my inbox is open :) ) Hopefully there can be some synergy between nmap+hogger and PRADS in the future. E ----- Original Message ----- Fra: "Shawn Jefferson" <Shawn.Jefferson () bcferries com> Til: "Joel Esler" <joel.esler () me com>, "Andy Berryman" <aberryman () cymtec com> Kopi: "Parker Crook" <Parker_Crook () reyrey com>, snort-users () lists sourceforge net Sendt: 23. mars 2010 18:01:42 Emne: Re: [Snort-users] Hogger 0.1.3 released Is there any downside to using it? -- Edward Bjarte Fjellskål Senior Security Analyst Redpill Linpro AS
-- Joel Esler http://blog.joelesler.net ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Hogger 0.1.3 released, (continued)
- Re: Hogger 0.1.3 released Crook, Parker (Mar 22)
- Re: Hogger 0.1.3 released Andy Berryman (Mar 22)
- Re: Hogger 0.1.3 released Crook, Parker (Mar 22)
- Re: Hogger 0.1.3 released Andy Berryman (Mar 23)
- Re: Hogger 0.1.3 released Joel Esler (Mar 23)
- Re: Hogger 0.1.3 released Jefferson, Shawn (Mar 23)
- Re: Hogger 0.1.3 released Crook, Parker (Mar 23)
- Re: Hogger 0.1.3 released Jefferson, Shawn (Mar 23)
- Re: Hogger 0.1.3 released Joel Esler (Mar 23)
- Re: Hogger 0.1.3 released Crook, Parker (Mar 22)
- Re: Hogger 0.1.3 released Joel Esler (Mar 23)