[Snort-users] Hogger 0.1.3 released

Edward Bjarte Fjellskål edward.fjellskal at ...14590...
Tue Mar 23 17:56:58 EDT 2010


Hi,

When I first noticed the host attribute table for about 2 years ago,
I started to fiddle on the idea on how to populate it automagically(tm).

The "limitation" on nmap, is that it would need to scan 65535 times two
ports on each hosts to see the whole picture of what services are running.
Also, if you scan a OK sized network, it takes time, and when you are finished,
you should start over to see if there is a diff :) (new services might be
popping up...)

I was also doing consultancy for a customer, where the requirements where
to map the network non intrusive, for configuring an IDS as best as possible.
(read: dont portscan the environment)

I started to draft a solution back then, implemented it in perl, where speed
sucked, and rewritten it in C. It has been a long journey, and I now see that
there are other tools out there that does something like this for you,
but most are commercial, and only one is for Snort. Also I have learned a lot,
which I find amusing :)

The upside in all this, is that PRADS also can see client side traffic,
meaning it knows what browser the hosts uses etc. which is something that
nmap never can find out. I remember somewhere in the Snort doc saying 
something about such features might be useful in the future :)
It will also see hosts and services, in the moment they start to talk
on the network, hence "R" for real-time :)

Anyway, I (and others) have made PRADS which its main
purpose was to populate the host attribute table for snort :)
which is something that it does today. Detection is mainly based
on the fine work of Michal Zalewski (p0f) and Matt Shelton (PADS).
We have taken the two tools one step further and also focused on 
performance, since my main goal was to run it side by side to snort.

The main work is done, but PRADS can benefit from signature contributions
and testers :) At the moment, we are compatible with p0f signatures and
PADS signatures (so if you have a personal repo of such, my inbox is open :) )

Hopefully there can be some synergy between nmap+hogger and PRADS in the
future.

E

----- Original Message -----
Fra: "Shawn Jefferson" <Shawn.Jefferson at ...14448...>
Til: "Joel Esler" <joel.esler at ...14399...>, "Andy Berryman" <aberryman at ...391...4758...>
Kopi: "Parker Crook" <Parker_Crook at ...14786...>, snort-users at ...2987...rge.net
Sendt: 23. mars 2010 18:01:42
Emne: Re: [Snort-users] Hogger 0.1.3 released

Is there any downside to using it?

-- 
Edward Bjarte Fjellskål
Senior Security Analyst
Redpill Linpro AS




More information about the Snort-users mailing list