[Snort-users] network penetrations

Geoff the UNIX guy galitz at ...247...
Thu Jan 11 19:51:26 EST 2001




A few folks have emailed me about this and there are
a few things to point out:

1)  The URL is wrong (doh!)  The correct URL is:
http://www.cchem.berkeley.edu/College/unix/proj/

2)  The docs are out of date.  They still give
    you a good idea about how we do things.  I will
    update them and put the updated docs online.

In the meantime, here is rough sketch:

Various snort collectors run at various points across
our networks.  Their rule sets are periodically updated
and redistributed with a simple sh/scp shell script.

All logging is performed to a central mysql box.  On
that box, a perl script runs and extracts any events
that have occurred over the past day or so.  The internal
(emphasis on internal) addresses produced by the report
are written to a file which is used by nessus and nmap
as a list of targets to scan on their next run.  In our 
case, they always run once an hour.  If the perl app has
not added hosts to be scanned for the hourly run, then random
machines are scanned.  Nessus logs to the database and then
automatically notifies the owner of the relevant machine
with no other interaction and currently the nmap scans go
to our NOC (me) via email.

I will make code available as soon as I can (today or 
tomorrow).

-geoff




On Thu, 11 Jan 2001, Geoff the UNIX guy wrote:

> 
> 
> 
> I have snort reporting to a database which runs 
> periodic reports (via perl, currently) which 
> triggers a nessus scan, a dds scan, and an
> nmap -sV scan (a wonderful hack which attempts
> to verify the protocol running on a certain port).
> The nmap -sV scan is terrific for quickly finding 
> backdoor ssh daemons running on ports other than 
> port 22.
> 
> In other words: snort -> nessus -> dds -> nmap
> which tells me if a known attack daemon or backdoor
> has been added after the scan via an exploit.
> 
> For more info on how I've done it, feel free to check:
> http://www.cchem.berkeley.edu/College/unix/proj.html
> 
> It is othing special really, it all amounts to a homebrewed 
> application glued together with C and perl.
> 
> -geoff
> 
> 
> On Thu, 11 Jan 2001, Mark Scott wrote:
> 
> > Hi,
> > 
> > Can anyone point me to resources that can help me understand how to tell if
> > there was a network penetration after a port scan? I use snort and many
> > times a day I detect some sort of port scan. What do you guys do to tell if
> > there has been a penetration?
> > 
> > Thanks,
> > 
> > Mark
> > 
> 
> ---------------------------------------------------
> Geoff Galitz, galitz at ...247...
> Research Computing
> College of Chemistry, UC Berkeley
> ---------------------------------------------------
>      The laws of physics can be a harsh mistress...
>         - Bender
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> 

---------------------------------------------------
Geoff Galitz, galitz at ...247...
Research Computing
College of Chemistry, UC Berkeley
---------------------------------------------------
     The laws of physics can be a harsh mistress...
        - Bender






More information about the Snort-users mailing list