[Snort-users] IDS provisioning site analysis tool?

Martin Roesch roesch at ...1935...
Tue Apr 13 08:18:08 EDT 2004

Hi Jon,

> That's all well and good for an installed IDS product, but it sounds to
> me as if RNA is both a compensation for a lack of administrator
> knowledge and an ongoing false-positive reduction technique.  I think
> what I'm looking for is more of a tool to help admins understand what
> their environment is prior to deploying IDS.

RNA can also run as a stand alone process to do the things you 
describe, we've just taken the additional step to integrate automated 
analysis with it for a variety of uses for overloaded admins who don't 
have the time/skill to properly tune their IDSes.  RNA's basic 
functionality is to provide you with a map of the network environment 
including lots of data that's essential to deploying your IDS properly 
like the OSes and services that are running on your hosts and the 
topology of the network in addition to the existence of the hosts 
themselves.  You can run this before you deploy your IDS to understand 
the protection profile you should be running and get the added benefit 
of RNA letting you see changes that might be critical to your IDS 
configuration in real-time.

> Most of this is based on my experiences with my current IDS setup.  If 
> I
> only relied on the snort.org rulesets, I'd be missing a whole slew of
> traffic that, while not hostile from the signature standpoint, is at a
> minimum anomalous (i.e. IP addresses that are not our sourcing traffic
> that is destined to IP addresses which are also not our, etc.) and at
> worst point to serious chinks in our network armor.  We've done a 
> number
> of tcpdump experiments, gradually winnowing out stuff that we don't 
> want
> to see and it has helped us develop custom rules that are extremely 
> good
> at finding these oddities.  I was hoping to find either a tool or 
> enough
> people interested in such a tool to get one written.

RNA can do flow tracking and analysis to help you build those "odd 
ball" rules too, I guess it depends on what your specific requirements 
are but I think it would cover them better than you might think.  After 
all, I originally built RNA to produce just that sort of data for 


> Jon
> -----Original Message-----
> From: Martin Roesch [mailto:roesch at ...1935...]
> Sent: Tuesday, April 13, 2004 9:33 AM
> To: Williams Jon
> Cc: Snort Users List; Focus-Ids
> Subject: Re: [Snort-users] IDS provisioning site analysis tool?
> Hi Jon,
> I think our RNA product can help you, it performs passive OS
> identification, passive service protocol identification (including
> vendor and version ID), flow logging, passive vulnerability inference,
> target (host) modeling, etc.
> To address your "feature list", RNA can do the following things:
> - Connection summaries (flow logging/analysis)
> - Passive OS & Service fingerprinting including identification of
> service vendor/version
> - List of services/vendors/versions & host models for rules selection
> It doesn't produce automatic rule tuning at this point, I think that
> that feature will show up in the future though.
> RNA is a commercial product though, so I don't know how that might fit
> with budgetary constraints you might have.
> One thing you might consider if you *do* have a budget is that
> Sourcefire is offering a Snort Agent product now that can transport
> event data from open source sensors up to the Sourcefire Management
> Console (MC) for analysis/reporting/incident management.  Our version
> 3.1.2 update for the MC that's coming out this week includes an Impact
> Correlator that analyzes events coming from the IDSes against RNA's
> network/vulnerability map and can gauge the impact of an event based on
> the real-time assessment of your network environment.  This is pretty
> cool because it's independent of the arbitrary priority field in Snort
> rules that may or may not have any relevance to your actual network.
> Anyway, enough marketing foo.  If you want to try to wire something
> together with open source parts you could probably do so with a variety
> of pieces parts and a bunch of perl, depends on how much time you've
> got...
>       -Marty
> On Apr 12, 2004, at 12:43 PM, Williams Jon wrote:
>> I've been doing IDS work at one site for several years now and have
>> found that a lack of knowledge about what network traffic is supposed
>> to exist, one spends the majority of their efforts researching
>> non-issues.
>> Having spent the time on my local network, I've got that understanding
>> here, but I'm considering locating sensors at other sites where that
>> knowledge is lacking.  Over the weekend, I got this wild hair that I'd
>> like a tool that I could run on the new sensor box prior to kicking up
>> the IDS.  This tool would do the following things:
>> - Monitor the network, displaying some form of a summary of
>> connections, probably organized by service port
>> - Passive OS and server fingerprinting to help differentiate Apache on
>> Linux from IIS on W2K, etc.
>> - Through a keypress (like "i"), flag a given service to be ignored in
>> the future and document what it is
>> Additionally, I think that it might be useful to be able to produce
>> some form of output that lists the applications/OSes found for use in
>> selecting IDS rules (i.e. use the file with some script that would
>> deactivate any snort.org rule for which there isn't a corresponding
>> target).  I doubt that this feature would be in any current tool,
>> although I think it could be useful.
>> The way I'm thinking, I'd do a site survey, identify everything I
>> could as a known application.  Whatever's left would need to be
>> tracked down and either documented as a proper business app or
>> terminated.  Once that's done, this tool could produce the "My
>> Environment" list for use in building IDS rulesets and/or continue
>> running as a daily checkpoint for new, unknown/unauthorized traffic.
>> So, does anyone know of a tool or a set of tools that can do this?  If
>> not, does anyone else see any value in such a beast?
>> Thanks.
>> Jon
>> -------------------------------------------------------
>> This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux
>> tutorial presented by Daniel Robbins, President and CEO of GenToo
>> technologies. Learn everything from fundamentals to system
>> administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
> Sourcefire: Intelligent Security Monitoring roesch at ...1935... -
> http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-users mailing list