[Snort-devel] Passive mapper
hoagland at ...60...
Thu May 23 08:50:03 EDT 2002
At 11:45 PM -0400 5/22/02, Rob McMillen wrote:
> I want to write a plugin that passively maps the monitored network to
>include active services located within the monitored network. I think this
>might alert to a trojan/backdoor because all of the sudden you have a new
>service on a box that didn't used to have that service.
> Two questions: 1) Is there something like this for snort already?
I don't think there is anything in Snort that does exactly that
though Spade does something pretty similar. It looks for unusual
destination ports for a destination IP. It currently looks at SYN
packets to detect scanning/probing
activity. It sounds like you are planning to look for responses from
It wasn't clear if you wanted the configuration of normal services
done manually or automatically. Spade does it automatically which
makes it a lot easier use.
It sounds like there might be an opportunity for you to leverage some
of the work that went into Spade. I'll be happy to assist. If you
are interested, e-mail me with your idea. (I have some parallel
extensions to Spade planned so this might fit right in.)
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* --- Silicon Defense: IDS Solutions --- *|
|* hoagland at ...60..., http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-devel