[Snort-users] IDS provisioning site analysis tool?
jshenk at ...514...
Mon Apr 12 10:16:03 EDT 2004
I think that's quite a bit what Sourcefire's RNA does. Basically, it
learns what you have and then when alerts get detected, if it's not
applicable to your environment, then it's not a big issue. So, if you
have all Apache web servers and you get hit with some Unicode directly
traversal attempts trying to run cmd.exe, it really doesn't matter.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Williams
Sent: Monday, April 12, 2004 12:43 PM
To: Snort Users List; Focus-Ids
Subject: [Snort-users] IDS provisioning site analysis tool?
I've been doing IDS work at one site for several years now and have
found that a lack of knowledge about what network traffic is supposed to
exist, one spends the majority of their efforts researching non-issues.
Having spent the time on my local network, I've got that understanding
here, but I'm considering locating sensors at other sites where that
knowledge is lacking. Over the weekend, I got this wild hair that I'd
like a tool that I could run on the new sensor box prior to kicking up
the IDS. This tool would do the following things:
- Monitor the network, displaying some form of a summary of connections,
probably organized by service port
- Passive OS and server fingerprinting to help differentiate Apache on
Linux from IIS on W2K, etc.
- Through a keypress (like "i"), flag a given service to be ignored in
the future and document what it is
Additionally, I think that it might be useful to be able to produce some
form of output that lists the applications/OSes found for use in
selecting IDS rules (i.e. use the file with some script that would
deactivate any snort.org rule for which there isn't a corresponding
target). I doubt that this feature would be in any current tool,
although I think it could be useful.
The way I'm thinking, I'd do a site survey, identify everything I could
as a known application. Whatever's left would need to be tracked down
and either documented as a proper business app or terminated. Once
that's done, this tool could produce the "My Environment" list for use
in building IDS rulesets and/or continue running as a daily checkpoint
for new, unknown/unauthorized traffic.
So, does anyone know of a tool or a set of tools that can do this? If
not, does anyone else see any value in such a beast?
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users