[Snort-users] IDS provisioning site analysis tool?
WilliamsJonathan at ...2134...
Mon Apr 12 09:44:12 EDT 2004
I've been doing IDS work at one site for several years now and have
found that a lack of knowledge about what network traffic is supposed to
exist, one spends the majority of their efforts researching non-issues.
Having spent the time on my local network, I've got that understanding
here, but I'm considering locating sensors at other sites where that
knowledge is lacking. Over the weekend, I got this wild hair that I'd
like a tool that I could run on the new sensor box prior to kicking up
the IDS. This tool would do the following things:
- Monitor the network, displaying some form of a summary of connections,
probably organized by service port
- Passive OS and server fingerprinting to help differentiate Apache on
Linux from IIS on W2K, etc.
- Through a keypress (like "i"), flag a given service to be ignored in
the future and document what it is
Additionally, I think that it might be useful to be able to produce some
form of output that lists the applications/OSes found for use in
selecting IDS rules (i.e. use the file with some script that would
deactivate any snort.org rule for which there isn't a corresponding
target). I doubt that this feature would be in any current tool,
although I think it could be useful.
The way I'm thinking, I'd do a site survey, identify everything I could
as a known application. Whatever's left would need to be tracked down
and either documented as a proper business app or terminated. Once
that's done, this tool could produce the "My Environment" list for use
in building IDS rulesets and/or continue running as a daily checkpoint
for new, unknown/unauthorized traffic.
So, does anyone know of a tool or a set of tools that can do this? If
not, does anyone else see any value in such a beast?
More information about the Snort-users