[Snort-users] OpenSource Alternative to SourceFire's RNA

AJ Butcher, Information Systems and Computing Alex.Butcher at ...11254...
Thu Apr 1 01:44:08 EST 2004

--On 31 March 2004 09:39 -0600 Josh Berry <josh.berry at ...10221...> 

> I am not looking for correlation, I have already done a great deal of
> development on an application that correlates Snort/Nessus/Windows Event
> Logs/and working on Firewall logs.  What I want is something that tracks
> MAC's across the network, updating information such as current IP address,
> operating systems, port being used, and services running on the used
> ports.  This information should be collected passively like SourceFire's
> RNA or similar to Tenable's NeVo product.

Ossim also integrates with ntop, p0f and arpwatch (arpwatch needs a small 
patch to allow it to listen on interfaces without any IPv4 address). You 
can also assign values to assets which it uses to calculate 
most-at-risk/most-likely-to-be-compromised hosts.

> With this kind of information an adaptive security environment could be
> created that automatically tunes IDS/VA devices to match the current
> threat level for the network environment.
> The only way I know of how to do this is to create signatures in Snort
> that recognize specific services and Operating Systems, log them in a
> format such as CSV and then run a background process that tails the CSV
> file and inputs new information into a database, or updates old
> information with current changes.
> This method however would be a big undertaking as there are thousands of
> applications and versions out there.  The most efficient method I can
> think of is to classify application types (DB/WWW/FTP/DNS) with common
> port listings and assign signatures to the class listings in one big
> database.  Once done a script could be created to automatically generate
> the signatures.

As far as I can see, this is exactly the direction ossim is heading.

> Thanks

Best Regards,
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-users mailing list