[Snort-users] Hogger 0.1.3 released

Joel Esler joel.esler at ...14399...
Tue Mar 23 18:03:43 EDT 2010


This product does exist.  It's called "RNA"  http://www.sourcefire.com/products/3D/rna

It's one of our products at Sourcefire, a patented piece of technology that the Sourcefire (Snort) IPS uses to real-time configure all of these features inside of Snort.

Joel


On Mar 23, 2010, at 5:56 PM, Edward Bjarte Fjellskål wrote:

> Hi,
> 
> When I first noticed the host attribute table for about 2 years ago,
> I started to fiddle on the idea on how to populate it automagically(tm).
> 
> The "limitation" on nmap, is that it would need to scan 65535 times two
> ports on each hosts to see the whole picture of what services are running.
> Also, if you scan a OK sized network, it takes time, and when you are finished,
> you should start over to see if there is a diff :) (new services might be
> popping up...)
> 
> I was also doing consultancy for a customer, where the requirements where
> to map the network non intrusive, for configuring an IDS as best as possible.
> (read: dont portscan the environment)
> 
> I started to draft a solution back then, implemented it in perl, where speed
> sucked, and rewritten it in C. It has been a long journey, and I now see that
> there are other tools out there that does something like this for you,
> but most are commercial, and only one is for Snort. Also I have learned a lot,
> which I find amusing :)
> 
> The upside in all this, is that PRADS also can see client side traffic,
> meaning it knows what browser the hosts uses etc. which is something that
> nmap never can find out. I remember somewhere in the Snort doc saying 
> something about such features might be useful in the future :)
> It will also see hosts and services, in the moment they start to talk
> on the network, hence "R" for real-time :)
> 
> Anyway, I (and others) have made PRADS which its main
> purpose was to populate the host attribute table for snort :)
> which is something that it does today. Detection is mainly based
> on the fine work of Michal Zalewski (p0f) and Matt Shelton (PADS).
> We have taken the two tools one step further and also focused on 
> performance, since my main goal was to run it side by side to snort.
> 
> The main work is done, but PRADS can benefit from signature contributions
> and testers :) At the moment, we are compatible with p0f signatures and
> PADS signatures (so if you have a personal repo of such, my inbox is open :) )
> 
> Hopefully there can be some synergy between nmap+hogger and PRADS in the
> future.
> 
> E
> 
> ----- Original Message -----
> Fra: "Shawn Jefferson" <Shawn.Jefferson at ...14448...>
> Til: "Joel Esler" <joel.esler at ...14399...>, "Andy Berryman" <aberryman at ...846....14758...>
> Kopi: "Parker Crook" <Parker_Crook at ...14786...>, snort-users at ...3054...forge.net
> Sendt: 23. mars 2010 18:01:42
> Emne: Re: [Snort-users] Hogger 0.1.3 released
> 
> Is there any downside to using it?
> 
> -- 
> Edward Bjarte Fjellskål
> Senior Security Analyst
> Redpill Linpro AS

--
Joel Esler
http://blog.joelesler.net






More information about the Snort-users mailing list