[Snort-users] CEREBUS 1.2 Alert Browser and Data Correlator

Dragos Ruiu dr at ...381...
Tue Aug 27 08:25:05 EDT 2002


The sid-msg map file comes with snort.
It is what Cerebus uses to translate numeric SID numbers to text labels

There is also a gen script in the snort distribution if you have added your 
own rules and SID to the ruleset and want to regen the map file.

cheers,
--dr


On August 27, 2002 02:25 pm, Donofrio, Lewis wrote:
> Gentle People,
>
> Anyone use www.smmothwall.org gpl 0.9.9se around here?  I tried to run
> this util on my firewall but I cannot locate the .map file required?
> This ISO runs Version 1.8.1-RELEASE (Build 74) and I've been looking in
> the \var\logs\snort but none found?
>
> --Just wondering....
> ---anyone got a php script that will email the ip owner of ATTACKING
> machines?
> ----I have a vbs script I run for my cheesy blackice service.
> ______________________________________________________________________
> Lewis	Donofrio at ...1052...	College of Literature, Science, & Arts
> 1007 East Huron, Room 201,	BetaID:243340	Cell: (734) 323-8776
> Ann Arbor,MI 48104-1690	www.umich.edu/~donofrio	 Fax: (734) 647-8333
>
> > -----Original Message-----
> > From: Dragos Ruiu [mailto:dr at ...50...]
> > Sent: Monday, August 26, 2002 10:39 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] CEREBUS 1.2 Alert Browser and Data Correlator
> >
> >
> > ////////////////////
> > // Announcing the release of CEREBUS v1.2
> > ////////////////////
> >
> > What is CEREBUS?
> >
> > CEREBUS is a text-based full screen alert analysis system for
> > Snort unified alert output.  It lets you load multiple snort
> > alert files into its
> > embedded database system and make real-time queries to quickly
> > delete noise alerts. It is a statically linked standalone binary and
> > does not require you to set up any additional data base
> > software to analyze Snort IDS output.
> >
> > Cerebus is intended for Intrusion Detection System analysts who
> > deal with a large volume of IDS probe data and alert logs and need
> > to efficiently process these large amounts of data,
> > potentially over a remote connection, or individuals who wish
> > to use the Snort IDS but
> > do not want to deal with the complexity or installing a full database
> > manager for managing and browsing alerts or who desire to make
> > their log analysis time as short and efficient as possible.
> >
> > What it lacks in eye-candy (fancy fonts, gui buttons) it
> > makes up for in raw speed and efficiency of processing alerts
> > and the ability rapidly identify small important anomalies in
> > large data sets.  It is also useable over a network link
> > without having to import those large data sets to your local
> > machine... so if you have a large fast machine as your
> > central repository or you want to analyze
> > the data on the probe machine directly you can do all the processing
> > there (Cerebus is also very CPU efficient compared to an SQL
> > database) and still use it from your own desktop -
> > independent of what your desktop machine is - without waiting
> > for a slow web gui to update or a database to run queries.
> >
> > Feed Cerebus Snort unified alert files from /var/log/snort. (Follow
> > the snort config instructions on the first Cerebus screen to
> > set up unified output, if you are unfamiliar with this.)
> >
> > Cerebus won't impress your manager with fancy pie charts, but it
> > may speed up your alert analysis to let you examine events in
> > detail that would otherwise get ignored. Cerebus will let you
> > hopefully
> > spend less time minding the IDSes and more time enjoying summer.
> >
> > The Lite version is the free non-commercial version intended
> > for smaller environments and individual use. The information
> > below pertains to both the commercial licensed version and
> > the free Lite
> > version. The commercial version features support for more alert
> > input file formats and sources, writing ability to save edited alert
> > sets/reports, and enhanced multi-source data management.
> >
> > ////////////////////
> > // What's new in this release:
> > ////////////////////
> >
> > -Alert Priority and Classification Display
> >
> > -Sort/Collapse/Removal by Priority and Classification
> >
> > -Collapsing similar alerts (source, dest, alert type etc...)
> >
> > -Statistics modes (in conjunction with collapsing) and
> >   Alert counts.
> >
> > -New partial processing for _very_ large alert files.
> >  It will deferr processing until you scroll to the data when
> >  you choose a collapse mode. The number in parentheses
> >  after the number of alert records indicate the number
> >  of collapsed records after display collapse. (note the
> >  number will change as you scroll through the file
> >  and incremental processing happens.)
> >
> > -New high speed mini-curses library.
> >  I got tired of futzing with statically compiling curses, I was
> >  looking through the code and said, "yuck, look at all this
> >  crap", "curses" indeed. Who in this day and age needs
> >  ASCII windowing and support for Morrow InterTube magic
> >  cookie terminals?  Everything (well almost :-) in the known
> >  universe uses the ansi/vt1x0/vt2x0 command set - so I
> >  stripped out the gunk for everything except that in my
> >  reimplementation! So you can use anything like an xterm
> >  (use a wide one to see all the fields), or a linux/bsd/console,
> >  pc terminal program, remote ssh whatever...  I'm afraid
> >  that if, like me, you have something odd like a wyse terminal
> >  you are sol about using this on it :-) By losing all the
> >  termlib/terminfo crap and a lot of unused functionality,
> >  the low swearing diet plan reduced this libary's waistline
> >  by more than 10x and gained noticeable execution
> >  speedups.
> >
> > -Fast scrolling.
> >  The benefit to reimplementing curses is that I have removed
> >  all library dependencies and I even removed stdio and libc
> > routines.  My new small fast library makes scrolling much
> >  snappier (I can't really tell the difference betwee a p-200
> > and gig athlon) - and it is now realistic to lean on the page
> >  down key and hop-over a few tens of thousands of alerts.
> >  The mini-curses library (libcuss? short version of curse?
> >  libless? a blessing would be the opposite of a curse? :-)
> >  should also send less characters overall in bigger blocks
> >  than normal curses to describe the same screen, so it
> >  should still work fine over network ssh'es, or even serial
> > consoles - probably even better than the original curses
> > (since it essentially hasn't been touched since the early
> >  80's and the System V Release 2 version that has propagated
> >  in both Linux and BSD.).
> >
> > -Static binaries with no library dependencies.
> >  The Linux, FreeBSD, OpenBSD, (and OSX as soon as I
> >  upload the recompile to the web servers) versions on the
> >  web servers are now there.  I'm happy to say that except
> >  for open/close, read/write, malloc/free (and ioctl on bsd),
> > this stuff is libc bloat free. These binaries should run on
> >  any systems without library futzing. I'm happy with the
> >  portability of my code :-).
> >
> > -The sparc version is still unavailable because the
> >  donated sparcstation doesn't seem to like either video
> >  or serial consoles...sigh.
> >
> > -Itanium and Alpha versions of Cerebus will be added
> >  to release sets soon with these new portability improvements
> >  in this version. (Thanks Chris)
> >
> > ////////////////////
> > // Cool things you can do with Cerebus:
> > ////////////////////
> >
> > -Look at the count statistics for each kind of alert in a set
> > of files?
> >         how:
> >                 1. Merge the files into the db
> >                 2. (S)ort by (A)lert
> >                 3. (C)ollapse by (A)lert
> >
> > -Delete all of a certain kind of alert for a single destination host?
> >         how:
> >                 1. Merge the files into the db
> >                 2. (S)ort by (D)estintaiton (I)P
> >                 3. (S)ort by (A)lert
> >                 4. (C)ollapse by (D)estination (I)P
> >                 5. Move to host/alert pair you want to
> >                     nuke and delete it using (R)emove
> >                     (D)estintaion (I)P or (D)elete
> >
> > -Look at the Alert activity by port?
> >         how
> >                 1. Merge the files into the db
> >                 2. (S)ort by (D)estintaiton or (S)ource (P)ort
> >                 3. Collapse by the same choice
> >
> > ////////////////////
> > // Cerebus Tutorial:
> > ////////////////////
> > 	Cerebus is intended to be a paring tool - to cut away
> > 	uninteresting data and get to the core of security issues.
> > 	The usual way I use Cerebus is to load in the alert files
> > 	I want to look at and remove the noise before analyzing
> > 	anything in detail.
> >
> > 	The quick way to get rid of data is to collapse it and then
> > 	delete the collapsed line.  In this way usually hundreds of
> > 	thousands of alerts can be reduced to mere hundreds of
> > 	lines to looks at in more detail.
> >
> > 	My usual first step is to get rid of the alert types I don't
> > 	care about (things like code red on web servers etc..) I
> > 	usually sort by alert and then collapse by alert to nuke
> > 	alert types I don't like.  Then I usually weed out noisy or
> > 	often falsing hosts, by sorting on destination ip and port.
> >
> > 	You can then use port sorting to eliminate some noisy
> > 	protocols.
> >
> > 	After I get rid of the noise... I then usually sort by
> > source and
> > 	colapse and start investigating the hosts that have been
> > 	sending a lot of crap... So far I am pleased to report Cerebus
> > 	has dramatically decreased the amount of time I have to
> > 	spend looking over alert files - It lets me manage and analyze
> > 	volumes of alerts that were previously infeasible to look
> > 	through for anomalies and interesting data (and would
> > 	probably have wound up in the bit-bucket without Cerebus).
> >
> > 	It works best in as large an xterm as you can fit on your
> > 	screen with small font sizes... because the scrolling is very
> > 	fast, you can hop over impressive amounts of data rapidly
> >         just using page up and page down. You can do corellation
> > 	by using the differnet sort and collapse modes to delete the
> > 	data between events of interest and look at multi-machine
> > 	events side by side. Reloading the same file lets you restore
> >         those events that you deleted when examining certain
> > 	hypotheses...
> >
> > ////////////////////
> > // Cerebus Hints:
> > ////////////////////
> >         -In the upper right corner of the screen are
> > indicator toggles for the
> >          collapse modes. To toggle a collapse mode <off> just
> > reselect it.
> >         -The sort order is a stack.  It gets reset when you
> > sort by (E)vent
> >         -You can see the sort stack indicator in the upper
> > right next to the
> >          collapse indicators.
> >         -The (E)xpand command will clear all collapsing. All
> > the records
> >          will be ungrouped as you page through the data.
> >         -If you accidentally deleted some records you can re-merge the
> >          files you loaded earlier. Cerebus will tell you how
> > many records
> >          it restored. It will automatically weed out
> > duplicate event IDs.
> >         -If you are analyzing live files that snort is
> > writing to, you can
> >          re-merge the files to get the new records recently
> > written out.
> >         -Flipping over alert files daily/weekly seems to be a
> > nice way
> >          to manage datasets.
> >
> > ////////////////////
> > // Cerebus Caveats:
> > ////////////////////
> >         -Cerebus is not perfect. It's just zippy. If it crashes on you
> > 	 you have either found a bug and you should tell me or you
> > 	 need more memory :-). (It will give a diagnostic in this case)
> >
> > ////////////////////
> > // Where to get cerebus:
> > ////////////////////
>
> http://dragos.com/cerebus/cerebus-linux-v1.2
> http://dragos.com/cerebus/cerebus-fbsd-v1.2
> http://dragos.com/cerebus/cerebus-obsd-v1.2
>
> I hope it saves you some time. Feedback and requests welcome.
>
> ////////////////////
> // Mandatory Commercial Content:
> ////////////////////
>
> -dr is available for ids consulting and analysis and system
>  projects. cerebus is available for custom implementation
>  integration. more toys under construction. Since Sourcefire  hasn't
> recently been farming out any more remote development
>  work now that they have a full team in-house in MD I am
>  actively seeking development and consulting contracts
>  until I get busy with my conference preparations again.
>
> cheers,
> --dr

-- 
dr at ...381...   pgp: http://dragos.com/kyxpgp
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
  of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002





More information about the Snort-users mailing list