[Snort-users] CEREBUS 1.2 Alert Browser and Data Correlator

Donofrio, Lewis donofrio at ...1052...
Tue Aug 27 08:01:02 EDT 2002


Geesh, URL should have read:

www.smoothwall.org

--stuttering as I type <G>
______________________________________________________________________ 
Lewis	Donofrio at ...1052...	College of Literature, Science, & Arts 
1007 East Huron, Room 201,	BetaID:243340	Cell: (734) 323-8776
Ann Arbor,MI 48104-1690	www.umich.edu/~donofrio	 Fax: (734) 647-8333 


> -----Original Message-----
> From: Donofrio, Lewis 
> Sent: Tuesday, August 27, 2002 10:26 AM
> To: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] CEREBUS 1.2 Alert Browser and Data 
> Correlator
> 
> 
> Gentle People,
> 
> Anyone use www.smmothwall.org gpl 0.9.9se around here?  I 
> tried to run this util on my firewall but I cannot locate the 
> .map file required? This ISO runs Version 1.8.1-RELEASE 
> (Build 74) and I've been looking in the \var\logs\snort but 
> none found?  
> 
> --Just wondering....
> ---anyone got a php script that will email the ip owner of 
> ATTACKING machines? ----I have a vbs script I run for my 
> cheesy blackice service. 
> ______________________________________________________________
> ________ 
> Lewis	Donofrio at ...1052...	College of Literature, Science, & Arts 
> 1007 East Huron, Room 201,	BetaID:243340	Cell: (734) 323-8776
> Ann Arbor,MI 48104-1690	www.umich.edu/~donofrio	 Fax: 
> (734) 647-8333 
> 
> 
> > -----Original Message-----
> > From: Dragos Ruiu [mailto:dr at ...50...]
> > Sent: Monday, August 26, 2002 10:39 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] CEREBUS 1.2 Alert Browser and Data Correlator
> > 
> > 
> > ////////////////////
> > // Announcing the release of CEREBUS v1.2 ////////////////////
> > 
> > What is CEREBUS?
> > 
> > CEREBUS is a text-based full screen alert analysis system for
> > Snort unified alert output.  It lets you load multiple snort 
> > alert files into its 
> > embedded database system and make real-time queries to quickly 
> > delete noise alerts. It is a statically linked standalone 
> binary and 
> > does not require you to set up any additional data base 
> > software to analyze Snort IDS output.
> > 
> > Cerebus is intended for Intrusion Detection System analysts who
> > deal with a large volume of IDS probe data and alert logs and need 
> > to efficiently process these large amounts of data, 
> > potentially over a remote connection, or individuals who wish 
> > to use the Snort IDS but 
> > do not want to deal with the complexity or installing a 
> full database 
> > manager for managing and browsing alerts or who desire to make 
> > their log analysis time as short and efficient as possible.
> > 
> > What it lacks in eye-candy (fancy fonts, gui buttons) it
> > makes up for in raw speed and efficiency of processing alerts 
> > and the ability rapidly identify small important anomalies in 
> > large data sets.  It is also useable over a network link 
> > without having to import those large data sets to your local 
> > machine... so if you have a large fast machine as your 
> > central repository or you want to analyze 
> > the data on the probe machine directly you can do all the 
> processing 
> > there (Cerebus is also very CPU efficient compared to an SQL 
> > database) and still use it from your own desktop - 
> > independent of what your desktop machine is - without waiting 
> > for a slow web gui to update or a database to run queries.
> > 
> > Feed Cerebus Snort unified alert files from /var/log/snort. (Follow
> > the snort config instructions on the first Cerebus screen to 
> > set up unified output, if you are unfamiliar with this.)
> > 
> > Cerebus won't impress your manager with fancy pie charts, but it
> > may speed up your alert analysis to let you examine events in 
> > detail that would otherwise get ignored. Cerebus will let you 
> > hopefully 
> > spend less time minding the IDSes and more time enjoying summer.
> > 
> > The Lite version is the free non-commercial version intended
> > for smaller environments and individual use. The information 
> > below pertains to both the commercial licensed version and 
> > the free Lite 
> > version. The commercial version features support for more alert 
> > input file formats and sources, writing ability to save 
> edited alert 
> > sets/reports, and enhanced multi-source data management.
> > 
> > ////////////////////
> > // What's new in this release:
> > ////////////////////
> > 
> > -Alert Priority and Classification Display
> > 
> > -Sort/Collapse/Removal by Priority and Classification
> > 
> > -Collapsing similar alerts (source, dest, alert type etc...)
> > 
> > -Statistics modes (in conjunction with collapsing) and 
> >   Alert counts.
> > 
> > -New partial processing for _very_ large alert files.
> >  It will deferr processing until you scroll to the data when 
> >  you choose a collapse mode. The number in parentheses
> >  after the number of alert records indicate the number 
> >  of collapsed records after display collapse. (note the 
> >  number will change as you scroll through the file 
> >  and incremental processing happens.)
> > 
> > -New high speed mini-curses library.
> >  I got tired of futzing with statically compiling curses, I was 
> >  looking through the code and said, "yuck, look at all this 
> >  crap", "curses" indeed. Who in this day and age needs 
> >  ASCII windowing and support for Morrow InterTube magic 
> >  cookie terminals?  Everything (well almost :-) in the known 
> >  universe uses the ansi/vt1x0/vt2x0 command set - so I 
> >  stripped out the gunk for everything except that in my 
> >  reimplementation! So you can use anything like an xterm 
> >  (use a wide one to see all the fields), or a linux/bsd/console, 
> >  pc terminal program, remote ssh whatever...  I'm afraid 
> >  that if, like me, you have something odd like a wyse terminal 
> >  you are sol about using this on it :-) By losing all the 
> >  termlib/terminfo crap and a lot of unused functionality,
> >  the low swearing diet plan reduced this libary's waistline 
> >  by more than 10x and gained noticeable execution 
> >  speedups.
> > 
> > -Fast scrolling.
> >  The benefit to reimplementing curses is that I have removed
> >  all library dependencies and I even removed stdio and libc  
> > routines.  My new small fast library makes scrolling much 
> >  snappier (I can't really tell the difference betwee a p-200  
> > and gig athlon) - and it is now realistic to lean on the page 
> >  down key and hop-over a few tens of thousands of alerts. 
> >  The mini-curses library (libcuss? short version of curse? 
> >  libless? a blessing would be the opposite of a curse? :-) 
> >  should also send less characters overall in bigger blocks 
> >  than normal curses to describe the same screen, so it 
> >  should still work fine over network ssh'es, or even serial  
> > consoles - probably even better than the original curses  
> > (since it essentially hasn't been touched since the early 
> >  80's and the System V Release 2 version that has propagated
> >  in both Linux and BSD.).
> >  
> > -Static binaries with no library dependencies.
> >  The Linux, FreeBSD, OpenBSD, (and OSX as soon as I
> >  upload the recompile to the web servers) versions on the
> >  web servers are now there.  I'm happy to say that except
> >  for open/close, read/write, malloc/free (and ioctl on bsd),  
> > this stuff is libc bloat free. These binaries should run on 
> >  any systems without library futzing. I'm happy with the 
> >  portability of my code :-).
> > 
> > -The sparc version is still unavailable because the
> >  donated sparcstation doesn't seem to like either video 
> >  or serial consoles...sigh.
> > 
> > -Itanium and Alpha versions of Cerebus will be added
> >  to release sets soon with these new portability improvements 
> >  in this version. (Thanks Chris)
> > 
> > ////////////////////
> > // Cool things you can do with Cerebus:
> > ////////////////////
> > 
> > -Look at the count statistics for each kind of alert in a set
> > of files?
> >         how:
> >                 1. Merge the files into the db
> >                 2. (S)ort by (A)lert
> >                 3. (C)ollapse by (A)lert
> > 
> > -Delete all of a certain kind of alert for a single 
> destination host? 
> >         how:
> >                 1. Merge the files into the db
> >                 2. (S)ort by (D)estintaiton (I)P
> >                 3. (S)ort by (A)lert
> >                 4. (C)ollapse by (D)estination (I)P
> >                 5. Move to host/alert pair you want to 
> >                     nuke and delete it using (R)emove
> >                     (D)estintaion (I)P or (D)elete
> > 
> > -Look at the Alert activity by port?
> >         how
> >                 1. Merge the files into the db
> >                 2. (S)ort by (D)estintaiton or (S)ource (P)ort
> >                 3. Collapse by the same choice
> > 
> > ////////////////////
> > // Cerebus Tutorial:
> > ////////////////////
> > 	Cerebus is intended to be a paring tool - to cut away
> > 	uninteresting data and get to the core of security issues.  
> > 	The usual way I use Cerebus is to load in the alert files 
> > 	I want to look at and remove the noise before analyzing 
> > 	anything in detail.
> > 	
> > 	The quick way to get rid of data is to collapse it and then
> > 	delete the collapsed line.  In this way usually hundreds of
> > 	thousands of alerts can be reduced to mere hundreds of
> > 	lines to looks at in more detail.
> > 	
> > 	My usual first step is to get rid of the alert types I don't
> > 	care about (things like code red on web servers etc..) I
> > 	usually sort by alert and then collapse by alert to nuke
> > 	alert types I don't like.  Then I usually weed out noisy or
> > 	often falsing hosts, by sorting on destination ip and port.
> > 
> > 	You can then use port sorting to eliminate some noisy 
> > 	protocols.
> > 
> > 	After I get rid of the noise... I then usually sort by
> > source and
> > 	colapse and start investigating the hosts that have been
> > 	sending a lot of crap... So far I am pleased to report Cerebus
> > 	has dramatically decreased the amount of time I have to
> > 	spend looking over alert files - It lets me manage and analyze
> > 	volumes of alerts that were previously infeasible to look
> > 	through for anomalies and interesting data (and would
> > 	probably have wound up in the bit-bucket without Cerebus).
> > 
> > 	It works best in as large an xterm as you can fit on your
> > 	screen with small font sizes... because the scrolling is very
> > 	fast, you can hop over impressive amounts of data rapidly 
> >         just using page up and page down. You can do corellation
> > 	by using the differnet sort and collapse modes to delete the
> > 	data between events of interest and look at multi-machine 
> > 	events side by side. Reloading the same file lets you restore 
> >         those events that you deleted when examining certain 
> > 	hypotheses...
> > 
> > ////////////////////
> > // Cerebus Hints:
> > ////////////////////
> >         -In the upper right corner of the screen are
> > indicator toggles for the
> >          collapse modes. To toggle a collapse mode <off> just 
> > reselect it.
> >         -The sort order is a stack.  It gets reset when you 
> > sort by (E)vent
> >         -You can see the sort stack indicator in the upper 
> > right next to the 
> >          collapse indicators.
> >         -The (E)xpand command will clear all collapsing. All 
> > the records
> >          will be ungrouped as you page through the data.
> >         -If you accidentally deleted some records you can 
> re-merge the
> >          files you loaded earlier. Cerebus will tell you how 
> > many records 
> >          it restored. It will automatically weed out 
> > duplicate event IDs.
> >         -If you are analyzing live files that snort is 
> > writing to, you can      
> >          re-merge the files to get the new records recently 
> > written out.
> >         -Flipping over alert files daily/weekly seems to be a 
> > nice way 
> >          to manage datasets.
> > 
> > ////////////////////
> > // Cerebus Caveats:
> > ////////////////////
> >         -Cerebus is not perfect. It's just zippy. If it 
> crashes on you
> > 	 you have either found a bug and you should tell me or you
> > 	 need more memory :-). (It will give a diagnostic in this case)
> > 
> > ////////////////////
> > // Where to get cerebus:
> > ////////////////////
> > 
> http://dragos.com/cerebus/cerebus-linux-v1.2
> http://dragos.com/cerebus/cerebus-fbsd-v1.2
> http://dragos.com/cerebus/cerebus-obsd-v1.2
> 
> I hope it saves you some time. Feedback and requests welcome.
> 
> ////////////////////
> // Mandatory Commercial Content:
> ////////////////////
> 
> -dr is available for ids consulting and analysis and system 
>  projects. cerebus is available for custom implementation 
>  integration. more toys under construction. Since Sourcefire  
> hasn't recently been farming out any more remote development 
>  work now that they have a full team in-house in MD I am 
>  actively seeking development and consulting contracts 
>  until I get busy with my conference preparations again.
> 
> cheers,
> --dr
> 
> 
> -- 
> dr at ...50...  pgp: http://dragos.com/dr-dursec.asc
> Advance CanSecWest/03 registration available: 
> http://cansecwest.com "The question of whether > computers can 
> think is like the question
>   of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same 
> old cell phone?  Get a new here for FREE! 
> https://www.inphonic.com/r.asp?r=urceforge1> &refcode1=3390
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same 
> old cell phone?  Get a new here for FREE! 
> https://www.inphonic.com/r.asp?r=urceforge1> &refcode1=3390
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
> 




More information about the Snort-users mailing list