[Snort-users] Alert on new IP in use?

Daniel Cid daniel.cid at ...1935...
Mon Aug 1 15:39:03 EDT 2005


I didn't know about the NBS from Marcus. However, the OSSEC HIDS
does what I called the "FTS" (First time seem). The idea is very close 
to the NBS and very useful to avoid false-positives and an excessive 
number of alerts. Basically, when a new (first time seem) snort event
is generated it will increase the "level" (or importance) of this event 
and generate an alert (mail notification, etc). From my tests, after a 
few days running the application, most of the snort false positives will 
go out and you will only get "new" and important stuff.

*The FTS from the OSSEC HIDS also works with ssh, ftp, su and sudo logs 
(I'm working to add support to other log types). For example, it
will notify when the user "xyz" logs for the first time on the server 
"abc" . It also performs some statistical analysis+rule-based log 
analysis (in the xml format).

If anyone is interested: http://www.ossec.net/hids/

*a new version is comming soon with an integrated and scalable integrity 
check process.

Daniel

Williams Jon wrote:

>I realize your question was posted to the snort list, but there is a
>neat tool called Never Before Seen (NBS) by Marcus Ranum that does this.
>I worked with it for a while, but got pulled off on other projects so I
>haven't touched it in a while.  Should work well for your application,
>though.
>
>You can find NBS at Marcus' website:
>
>http://www.ranum.com/security/computer_security/index.html
>
>Jon 
>
>-----Original Message-----
>From: snort-users-admin at lists.sourceforge.net
>[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Rich
>Adamson
>Sent: Monday, August 01, 2005 8:15 AM
>To: Snort Users Postings
>Subject: [Snort-users] Alert on new IP in use?
>
>
>Looking for a way to monitor a small banking network and generate an
>alert when an unused IP address is observed. The current IP's are not
>consecutive.
>
>Example: we have 26 static IP addresses assigned to workstations and
>servers. If a 27th (or greater) address appears on the wire, generate an
>alert. (Note: not very interested in watching MAC addresses as some of
>the IP's are behind another layer-3 device.)
>
>Thoughts?
>
>
>
>
>-------------------------------------------------------
>SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
>from IBM. Find simple to follow Roadmaps, straightforward articles,
>informative Webcasts and more! Get everything you need to get up to
>speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>-------------------------------------------------------
>SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
>from IBM. Find simple to follow Roadmaps, straightforward articles,
>informative Webcasts and more! Get everything you need to get up to
>speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=ort-users
>  
>





More information about the Snort-users mailing list