[Snort-users] Status of aircert project?

Michael Scheidell scheidell at ...3799...
Fri Oct 19 08:14:20 EDT 2001


I was wondering what the status of the aircert project was.

Reason I asked, was that the communal gathering and comparison of
alert/attack data seems important.

It shows worm trends, tracks trojans and hacker activity, and if done right
could also allow a security admin determine if he is the only one being
attacked by a certain ip or if this is a skiddie.

One of the projects I have been involved in is the mynetwatchman DIDS.
Sounds a little like aircert.
(www.mynetwatchman.com)  You can get a free perl (or windows) agent to auto
upload your attack data.

It started out just monitoring blackice firewalls, but added zonealarm as
well.

Now, through a open source perl agent, it supports CISCO IOS,PIX, IPFW,
iptables, ipchains, portsentry,sonicwall,tcp_wrapper and snort csv formats.
there is a Linux rpm package and a generic tgz for other unixes.
It can even update iptables
(so, snort can update iptables through mynetwatchman client!)

It differs from incidents.org /dshield concept in that each individual
'agent' can view his/her own daily statistics via a web page (check to see
if he is the only one attacked) and how many of his reports resulted in an
alert to the isp.

Oh yes, the other thing it does is that when the attacks reach a 'threshold
determined by port number and agent count, they get auto-escalated to the
isp.

Remember the Leave32 worm?  Look at incidents.org info on that.  It was
first discovered by mynetwatchman traffic analysis and info sent to
incidents.org.

Does this fit in any with aircert?  Is there any reason to ask Lawrence
Baldwin at mynetwatchman to forward aggregated attack data to aircert as
well as incidents.org?

--
Michael Scheidell






More information about the Snort-users mailing list