[Snort-devel] Passive mapper

James Hoagland hoagland at ...60...
Thu May 23 08:50:03 EDT 2002

At 11:45 PM -0400 5/22/02, Rob McMillen wrote:
>     I want to write a plugin that passively maps the monitored network to
>include active services located within the monitored network.  I think this
>might alert to a trojan/backdoor because all of the sudden you have a new
>service on a box that didn't used to have that service.
>     Two questions:  1)  Is there something like this for snort already?

I don't think there is anything in Snort that does exactly that 
though Spade does something pretty similar.  It looks for unusual 
destination ports for a destination IP.  It currently looks at SYN 
packets to detect scanning/probing
activity.  It sounds like you are planning to look for responses from 
unusual ports.

It wasn't clear if you wanted the configuration of normal services 
done manually or automatically.  Spade does it automatically which 
makes it a lot easier use.

It sounds like there might be an opportunity for you to leverage some 
of the work that went into Spade.  I'll be happy to assist.  If you 
are interested, e-mail me with your idea.  (I have some parallel 
extensions to Spade planned so this might fit right in.)

Best regards,

|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...60..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

More information about the Snort-devel mailing list