[Snort-users] OpenSource Alternative to SourceFire's RNA
AJ Butcher, Information Systems and Computing
Alex.Butcher at ...11254...
Thu Apr 1 01:44:08 EST 2004
--On 31 March 2004 09:39 -0600 Josh Berry <josh.berry at ...10221...>
> I am not looking for correlation, I have already done a great deal of
> development on an application that correlates Snort/Nessus/Windows Event
> Logs/and working on Firewall logs. What I want is something that tracks
> MAC's across the network, updating information such as current IP address,
> operating systems, port being used, and services running on the used
> ports. This information should be collected passively like SourceFire's
> RNA or similar to Tenable's NeVo product.
Ossim also integrates with ntop, p0f and arpwatch (arpwatch needs a small
patch to allow it to listen on interfaces without any IPv4 address). You
can also assign values to assets which it uses to calculate
> With this kind of information an adaptive security environment could be
> created that automatically tunes IDS/VA devices to match the current
> threat level for the network environment.
> The only way I know of how to do this is to create signatures in Snort
> that recognize specific services and Operating Systems, log them in a
> format such as CSV and then run a background process that tails the CSV
> file and inputs new information into a database, or updates old
> information with current changes.
> This method however would be a big undertaking as there are thousands of
> applications and versions out there. The most efficient method I can
> think of is to classify application types (DB/WWW/FTP/DNS) with common
> port listings and assign signatures to the class listings in one big
> database. Once done a script could be created to automatically generate
> the signatures.
As far as I can see, this is exactly the direction ossim is heading.
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users