[Snort-users] IDS provisioning site analysis tool?

Williams Jon WilliamsJonathan at ...2134...
Mon Apr 12 09:44:12 EDT 2004

I've been doing IDS work at one site for several years now and have
found that a lack of knowledge about what network traffic is supposed to
exist, one spends the majority of their efforts researching non-issues.
Having spent the time on my local network, I've got that understanding
here, but I'm considering locating sensors at other sites where that
knowledge is lacking.  Over the weekend, I got this wild hair that I'd
like a tool that I could run on the new sensor box prior to kicking up
the IDS.  This tool would do the following things:

- Monitor the network, displaying some form of a summary of connections,
probably organized by service port
- Passive OS and server fingerprinting to help differentiate Apache on
Linux from IIS on W2K, etc.
- Through a keypress (like "i"), flag a given service to be ignored in
the future and document what it is

Additionally, I think that it might be useful to be able to produce some
form of output that lists the applications/OSes found for use in
selecting IDS rules (i.e. use the file with some script that would
deactivate any snort.org rule for which there isn't a corresponding
target).  I doubt that this feature would be in any current tool,
although I think it could be useful.

The way I'm thinking, I'd do a site survey, identify everything I could
as a known application.  Whatever's left would need to be tracked down
and either documented as a proper business app or terminated.  Once
that's done, this tool could produce the "My Environment" list for use
in building IDS rulesets and/or continue running as a daily checkpoint
for new, unknown/unauthorized traffic.

So, does anyone know of a tool or a set of tools that can do this?  If
not, does anyone else see any value in such a beast?



More information about the Snort-users mailing list