[Snort-users] Snortbot v 0.1 now available -- Half-Life fans test it out, please. Thanks.

Don Bailey baileydl at ...312...
Sun Jun 10 20:36:18 EDT 2001


Hi all,

New to the list, but a fan of Snort.  Friday, I mentioned to some
friends at work that I was thinking about modifying a Half-Life bot to
interface with Snort output (Half-Life is a popular 3D shooter game for
Windows).  We all giggled a bit at the idea and Saturday afternoon I
downloaded some popular bot source code (HPB bot by Botman), made a few
changes in the bot's dll source, had Brian Caswell write a plugin to
send nice Snort output to a file, and ta-da--Snortbot was born.  This
was done mostly for fun, but is a proof-of-concept for popular gaming
engines being used for monitoring IDS.  Note that I'm NOT advocating
that anyone running a production IDS start playing Half-Life to do IDS
analysis... but the thought has made me chuckle.  Who knows?  This may
get some Half-Life fans into intrusion detection--you can never have
enough analysts, eh?

So I'd appreciate any Half-Life or Counter-Strike fans running Snort for
Windows to take a look and play with Snortbot.  Snortbot is a modified
HPB bot and does all an HPB bot does and "more".  You can get Snortbot v
.1 (which btw has some patches to Snort for the output) at:

http://snort.sourceforge.net/snortbot.zip

Source is included for your convenience/safety/modification and also for
the cautious:

MD5 (snortbot.zip) = d66966f4c5ffb8a0ecbded06723b4f7a

Let me know of any bugs, or if anyone gets this running on a dedicated
server--especially Linux.  Thanks for your time, and enjoy!

Sincerely,

Don

P.S.--a bit of the README.txt follows below for more curious as to what
Snortbot is/does/etc...
--
Don Bailey
Senior INFOSEC Engineer/Scientist
Secure Information Technology
The MITRE Corporation
(703) 883-6230

Portions of the README.txt follows:

Snortbot v .1 - a modified HPB bot w/ Snort support.

Introduction
------------

Snortbot is a modified HPB bot with Snort support.  That means you can
play 
half-life, counter-strike, tfc, whathaveyou while running Snort and this
bot 
will continually check your IDS alarms and report them to you in game. 
To get a 
report of recent alarms from Snortbot, you or someone else must attack
and kill 
the Snortbot in the game--which makes for a rather entertaining method
of 
monitoring your IDS.  This was coded in about an hour and tested for a
day--
caveat emptor.

Further below are instructions for installing Snortbot if you're tired
of 
reading already.


History
-------

Some friends and I discussed the idea of having a gaming interface to an
IDS.  
After I found out I was ineligible to apply for a NIST CIP grant for
which I was 
hoping to develop a REALLY cool 3D gaming interface to an IDS, I decided
to 
write a quick half-life bot that interfaced with Snort.  Uncle Sam's
loss is the 
IDS / gaming community's gain.  This is simply proof-of-concept and
should be 
just an idea of the potential for combining monitoring an IDS (in this
case, 
Snort) with a popular gaming interface.  Managed security services will
never be 
the same. ;)    


What?  Why?  Huh?
-----------------

OK, so someone is asking, "What the heck is Snort?".  Put VERY simply,
Snort is 
an Intrustion Detection System (IDS) that keeps an eye out for computers 
attacking other computers.  Visit http://www.snort.org for more details
and free 
downloads.

OK, now someone is asking, "Why the heck would I want to run
Snortbot?".  
Perhaps you already run Snort and you want to keep abreast of IDS alarms
while 
you are hosting a counter-strike server.  Perhaps you are a goofball and
you are 
interested in merging computer games with IDS software like us.  Perhaps
you are 
a big Snort fan, and this just seems too cool to not try out. 
Whatever.  An 
excellent example of why to use Snortbot would be:  You have a
connection to the 
Internet on your primary gaming PC.  You like to always know if anyone
is 
attacking your computer.  You happen to be having a LAN party at your
house.  
You want to host counter-strike, insert a few bots, and kick some tail,
but you 
still want to know if Snort sees anyone attacking you over your Internet 
connection.  How will you do all these things at once?  Simple.  Start
your 
counter-strike server and run Snortbot.  You will be the man.

Best of all, because Snortbot is just a modified HPB bot, you can use it
just 
like HPB bot.  Add multiple bots, use your bot.cfg file, whatever.  As
long as 
one of your bots is named "Snortbot", it will keep you posted with
regard to 
Snort alarms.





More information about the Snort-users mailing list