[Snort-users] CEREBUS 1.2 Alert Browser and Data Correlator

Donofrio, Lewis donofrio at ...1052...
Tue Aug 27 09:06:07 EDT 2002


Ruiu,

Thanks for the reply but what is the PATH to the standard .map files
that snort uses?

--Sorry but I'm having a hard time getting LS in Linux to do the same as
DIR /s *.map does in DOS6.22
______________________________________________________________________ 
Lewis	Donofrio at ...1052...	College of Literature, Science, & Arts 
1007 East Huron, Room 201,	BetaID:243340	Cell: (734) 323-8776
Ann Arbor,MI 48104-1690	www.umich.edu/~donofrio	 Fax: (734) 647-8333 


> -----Original Message-----
> From: Dragos Ruiu [mailto:dr at ...381...] 
> Sent: Tuesday, August 27, 2002 4:24 AM
> To: Donofrio, Lewis; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] CEREBUS 1.2 Alert Browser and Data 
> Correlator
> 
> 
> The sid-msg map file comes with snort.
> It is what Cerebus uses to translate numeric SID numbers to 
> text labels
> 
> There is also a gen script in the snort distribution if you 
> have added your 
> own rules and SID to the ruleset and want to regen the map file.
> 
> cheers,
> --dr
> 
> 
> On August 27, 2002 02:25 pm, Donofrio, Lewis wrote:
> > Gentle People,
> >
> > Anyone use www.smmothwall.org gpl 0.9.9se around here?  I 
> tried to run 
> > this util on my firewall but I cannot locate the .map file 
> required? 
> > This ISO runs Version 1.8.1-RELEASE (Build 74) and I've 
> been looking 
> > in the \var\logs\snort but none found?
> >
> > --Just wondering....
> > ---anyone got a php script that will email the ip owner of 
> ATTACKING 
> > machines? ----I have a vbs script I run for my cheesy blackice 
> > service. 
> > 
> ______________________________________________________________________
> > Lewis	Donofrio at ...1052...	College of Literature, 
> Science, & Arts
> > 1007 East Huron, Room 201,	BetaID:243340	Cell: (734) 323-8776
> > Ann Arbor,MI 48104-1690	www.umich.edu/~donofrio	 Fax: 
> (734) 647-8333
> >
> > > -----Original Message-----
> > > From: Dragos Ruiu [mailto:dr at ...50...]
> > > Sent: Monday, August 26, 2002 10:39 PM
> > > To: snort-users at lists.sourceforge.net
> > > Subject: [Snort-users] CEREBUS 1.2 Alert Browser and Data 
> Correlator
> > >
> > >
> > > ////////////////////
> > > // Announcing the release of CEREBUS v1.2 ////////////////////
> > >
> > > What is CEREBUS?
> > >
> > > CEREBUS is a text-based full screen alert analysis system 
> for Snort 
> > > unified alert output.  It lets you load multiple snort 
> alert files 
> > > into its embedded database system and make real-time queries to 
> > > quickly delete noise alerts. It is a statically linked standalone 
> > > binary and does not require you to set up any additional data base
> > > software to analyze Snort IDS output.
> > >
> > > Cerebus is intended for Intrusion Detection System 
> analysts who deal 
> > > with a large volume of IDS probe data and alert logs and need to 
> > > efficiently process these large amounts of data, 
> potentially over a 
> > > remote connection, or individuals who wish to use the 
> Snort IDS but
> > > do not want to deal with the complexity or installing a 
> full database
> > > manager for managing and browsing alerts or who desire to make
> > > their log analysis time as short and efficient as possible.
> > >
> > > What it lacks in eye-candy (fancy fonts, gui buttons) it makes up 
> > > for in raw speed and efficiency of processing alerts and 
> the ability 
> > > rapidly identify small important anomalies in large data 
> sets.  It 
> > > is also useable over a network link without having to 
> import those 
> > > large data sets to your local machine... so if you have a 
> large fast 
> > > machine as your central repository or you want to analyze
> > > the data on the probe machine directly you can do all the 
> processing
> > > there (Cerebus is also very CPU efficient compared to an SQL
> > > database) and still use it from your own desktop -
> > > independent of what your desktop machine is - without waiting
> > > for a slow web gui to update or a database to run queries.
> > >
> > > Feed Cerebus Snort unified alert files from 
> /var/log/snort. (Follow 
> > > the snort config instructions on the first Cerebus screen 
> to set up 
> > > unified output, if you are unfamiliar with this.)
> > >
> > > Cerebus won't impress your manager with fancy pie charts, 
> but it may 
> > > speed up your alert analysis to let you examine events in detail 
> > > that would otherwise get ignored. Cerebus will let you hopefully
> > > spend less time minding the IDSes and more time enjoying summer.
> > >
> > > The Lite version is the free non-commercial version intended for 
> > > smaller environments and individual use. The information below 
> > > pertains to both the commercial licensed version and the free Lite
> > > version. The commercial version features support for more alert
> > > input file formats and sources, writing ability to save 
> edited alert
> > > sets/reports, and enhanced multi-source data management.
> > >
> > > ////////////////////
> > > // What's new in this release:
> > > ////////////////////
> > >
> > > -Alert Priority and Classification Display
> > >
> > > -Sort/Collapse/Removal by Priority and Classification
> > >
> > > -Collapsing similar alerts (source, dest, alert type etc...)
> > >
> > > -Statistics modes (in conjunction with collapsing) and
> > >   Alert counts.
> > >
> > > -New partial processing for _very_ large alert files.
> > >  It will deferr processing until you scroll to the data when  you 
> > > choose a collapse mode. The number in parentheses  after 
> the number 
> > > of alert records indicate the number  of collapsed records after 
> > > display collapse. (note the  number will change as you scroll 
> > > through the file  and incremental processing happens.)
> > >
> > > -New high speed mini-curses library.
> > >  I got tired of futzing with statically compiling curses, I was  
> > > looking through the code and said, "yuck, look at all 
> this  crap", 
> > > "curses" indeed. Who in this day and age needs  ASCII 
> windowing and 
> > > support for Morrow InterTube magic  cookie terminals?  Everything 
> > > (well almost :-) in the known  universe uses the ansi/vt1x0/vt2x0 
> > > command set - so I  stripped out the gunk for everything 
> except that 
> > > in my  reimplementation! So you can use anything like an xterm
> > >  (use a wide one to see all the fields), or a linux/bsd/console,
> > >  pc terminal program, remote ssh whatever...  I'm afraid
> > >  that if, like me, you have something odd like a wyse terminal
> > >  you are sol about using this on it :-) By losing all the
> > >  termlib/terminfo crap and a lot of unused functionality,
> > >  the low swearing diet plan reduced this libary's waistline
> > >  by more than 10x and gained noticeable execution
> > >  speedups.
> > >
> > > -Fast scrolling.
> > >  The benefit to reimplementing curses is that I have removed  all 
> > > library dependencies and I even removed stdio and libc 
> routines.  My 
> > > new small fast library makes scrolling much  snappier (I can't 
> > > really tell the difference betwee a p-200 and gig athlon) 
> - and it 
> > > is now realistic to lean on the page  down key and hop-over a few 
> > > tens of thousands of alerts.  The mini-curses library (libcuss? 
> > > short version of curse?  libless? a blessing would be the 
> opposite 
> > > of a curse? :-)  should also send less characters overall 
> in bigger 
> > > blocks  than normal curses to describe the same screen, so it
> > >  should still work fine over network ssh'es, or even serial
> > > consoles - probably even better than the original curses
> > > (since it essentially hasn't been touched since the early
> > >  80's and the System V Release 2 version that has propagated
> > >  in both Linux and BSD.).
> > >
> > > -Static binaries with no library dependencies.
> > >  The Linux, FreeBSD, OpenBSD, (and OSX as soon as I
> > >  upload the recompile to the web servers) versions on the  web 
> > > servers are now there.  I'm happy to say that except  for 
> > > open/close, read/write, malloc/free (and ioctl on bsd), 
> this stuff 
> > > is libc bloat free. These binaries should run on  any systems 
> > > without library futzing. I'm happy with the  portability 
> of my code 
> > > :-).
> > >
> > > -The sparc version is still unavailable because the
> > >  donated sparcstation doesn't seem to like either video
> > >  or serial consoles...sigh.
> > >
> > > -Itanium and Alpha versions of Cerebus will be added
> > >  to release sets soon with these new portability improvements  in 
> > > this version. (Thanks Chris)
> > >
> > > ////////////////////
> > > // Cool things you can do with Cerebus: ////////////////////
> > >
> > > -Look at the count statistics for each kind of alert in a set of 
> > > files?
> > >         how:
> > >                 1. Merge the files into the db
> > >                 2. (S)ort by (A)lert
> > >                 3. (C)ollapse by (A)lert
> > >
> > > -Delete all of a certain kind of alert for a single 
> destination host?
> > >         how:
> > >                 1. Merge the files into the db
> > >                 2. (S)ort by (D)estintaiton (I)P
> > >                 3. (S)ort by (A)lert
> > >                 4. (C)ollapse by (D)estination (I)P
> > >                 5. Move to host/alert pair you want to
> > >                     nuke and delete it using (R)emove
> > >                     (D)estintaion (I)P or (D)elete
> > >
> > > -Look at the Alert activity by port?
> > >         how
> > >                 1. Merge the files into the db
> > >                 2. (S)ort by (D)estintaiton or (S)ource (P)ort
> > >                 3. Collapse by the same choice
> > >
> > > ////////////////////
> > > // Cerebus Tutorial:
> > > ////////////////////
> > > 	Cerebus is intended to be a paring tool - to cut away
> > > 	uninteresting data and get to the core of security issues.
> > > 	The usual way I use Cerebus is to load in the alert files
> > > 	I want to look at and remove the noise before analyzing
> > > 	anything in detail.
> > >
> > > 	The quick way to get rid of data is to collapse it and then
> > > 	delete the collapsed line.  In this way usually hundreds of
> > > 	thousands of alerts can be reduced to mere hundreds of
> > > 	lines to looks at in more detail.
> > >
> > > 	My usual first step is to get rid of the alert types I don't
> > > 	care about (things like code red on web servers etc..) I
> > > 	usually sort by alert and then collapse by alert to nuke
> > > 	alert types I don't like.  Then I usually weed out noisy or
> > > 	often falsing hosts, by sorting on destination ip and port.
> > >
> > > 	You can then use port sorting to eliminate some noisy
> > > 	protocols.
> > >
> > > 	After I get rid of the noise... I then usually sort by 
> source and
> > > 	colapse and start investigating the hosts that have been
> > > 	sending a lot of crap... So far I am pleased to report Cerebus
> > > 	has dramatically decreased the amount of time I have to
> > > 	spend looking over alert files - It lets me manage and analyze
> > > 	volumes of alerts that were previously infeasible to look
> > > 	through for anomalies and interesting data (and would
> > > 	probably have wound up in the bit-bucket without Cerebus).
> > >
> > > 	It works best in as large an xterm as you can fit on your
> > > 	screen with small font sizes... because the scrolling is very
> > > 	fast, you can hop over impressive amounts of data rapidly
> > >         just using page up and page down. You can do corellation
> > > 	by using the differnet sort and collapse modes to delete the
> > > 	data between events of interest and look at multi-machine
> > > 	events side by side. Reloading the same file lets you restore
> > >         those events that you deleted when examining certain
> > > 	hypotheses...
> > >
> > > ////////////////////
> > > // Cerebus Hints:
> > > ////////////////////
> > >         -In the upper right corner of the screen are indicator 
> > > toggles for the
> > >          collapse modes. To toggle a collapse mode <off> just 
> > > reselect it.
> > >         -The sort order is a stack.  It gets reset when 
> you sort by 
> > > (E)vent
> > >         -You can see the sort stack indicator in the upper right 
> > > next to the
> > >          collapse indicators.
> > >         -The (E)xpand command will clear all collapsing. All the 
> > > records
> > >          will be ungrouped as you page through the data.
> > >         -If you accidentally deleted some records you can 
> re-merge the
> > >          files you loaded earlier. Cerebus will tell you how many 
> > > records
> > >          it restored. It will automatically weed out 
> duplicate event 
> > > IDs.
> > >         -If you are analyzing live files that snort is 
> writing to, 
> > > you can
> > >          re-merge the files to get the new records 
> recently written 
> > > out.
> > >         -Flipping over alert files daily/weekly seems to 
> be a nice 
> > > way
> > >          to manage datasets.
> > >
> > > ////////////////////
> > > // Cerebus Caveats:
> > > ////////////////////
> > >         -Cerebus is not perfect. It's just zippy. If it 
> crashes on you
> > > 	 you have either found a bug and you should tell me or you
> > > 	 need more memory :-). (It will give a diagnostic in this case)
> > >
> > > ////////////////////
> > > // Where to get cerebus:
> > > ////////////////////
> >
> > http://dragos.com/cerebus/cerebus-linux-v1.2
> > http://dragos.com/cerebus/cerebus-fbsd-v1.2
> > http://dragos.com/cerebus/cerebus-obsd-v1.2
> >
> > I hope it saves you some time. Feedback and requests welcome.
> >
> > ////////////////////
> > // Mandatory Commercial Content:
> > ////////////////////
> >
> > -dr is available for ids consulting and analysis and system 
>  projects. 
> > cerebus is available for custom implementation  
> integration. more toys 
> > under construction. Since Sourcefire  hasn't recently been 
> farming out 
> > any more remote development  work now that they have a full team 
> > in-house in MD I am  actively seeking development and consulting 
> > contracts  until I get busy with my conference preparations again.
> >
> > cheers,
> > --dr
> 
> -- 
> dr at ...381...   pgp: http://dragos.com/kyxpgp
> Advance CanSecWest/03 registration available: 
> http://cansecwest.com "The question of whether > computers can 
> think is like the question
>   of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002
> 
> 




More information about the Snort-users mailing list