[Snort-users] Announce: FLoP-1.0 --- Fast Logging Project for snort

Dirk Geschke Dirk at ...10648...
Fri Nov 28 07:44:09 EST 2003


Hi all,

I have just released the Fast Logging Project for snort: FLoP-1.0

This project is intended for a distributed snort sensor network
where all alerts are gathered on a central server.

The idea of the project is to decouple the output from the snort
sniffing process. The alerts together with the payload are written
via an unix domain socket to a threaded process called sockserv.

One thread reads the alerts (and payloads if available), the second
thread forwards them to a central server.

On the central server the process servsock waits for incoming alerts
from remote sensors. If a sensor connects an instance of servsock is
forked off to handle the communication until the connection is stopped.

The forked process uses two threads, one to receive and buffer the
alerts with payload from the remote sensors. The second thread feeds
these entries to a database.

Acutally only the PostgreSQL and MySQL databases are supported.

Since we are using unix domain sockets to communicate between
the processes - which do not block - this communication is quite
fast and we have no blocking processes.

The alerts and payloads are spooled to the central server
via two TCP packets. On the central server the serveral INSERT
and SELECT statements are send via the unix domain socket to
the database. Obviously this should be much faster than to
use database access via TCP over the real network.

Further, alerts with high priority can be send together
with the database ID to a list of recipients.Of course there
is a little delay: First the alert has to be inserted in the
database to get the database ID before we can send it via
E-Mail. The E-Mails can be send on a periodically basis (if
appropiate alerts are available) and/or if a given number of
alerts is reached. The idea here is to avoid sending for each
E-Mail one alert which could result in a DoS.

And finally: There is a false positive generator available
similar to snot called fpg. This program takes at least 3
paramaters: A source address, a destination address and a
snort configuration file. The program tries to generate for
each rule of the snort configuration file a network packet
with the two addresses which should raise an alert within snort.

This will and shall not work with the established feature of
TCP rules. The idea is simply to generate alerts on a high rate
to test the FLoP tools and the database.

Further information can be found at

http://www.geschke-online.de/FLoP

Best regards

Dirk Geschke

PS: Snort got an extension to write statistics on a periodical
basis to --- yes --- an unix domain socket.




More information about the Snort-users mailing list