No subject


Thu Nov 23 16:36:19 EST 2017


> When there is a problem and server or workstation is running netbios, I
> ping the ip address and use nbtstat to find the name of the computer. If
> nbtscan could be used to identify computers in order to provide limited
> windows name resolution to the ACID names table, furthermore the
> ACID(MySQL) server could run winbind to populate a machine, user, group
> table in the ACID names table.

Calling an external program from PHP isn't too hard.  You could call the
program, and resolve the NetBIOS info on the fly and/or have it write it
back into the DB.

> One could argue that DNS will replace WINS one day. I don't know if that
> day will come soon.

Err...  I really don't think WINS ever has a chance vs. DNS.  IMHO, DNS
won't ever be replaced by a broken MS protocol.  God, at least I _HOPE_
so!

> The questions here are:
>
> 1. If ntbscan does not use a broadcast mechanism and netbios-dgm(135) is
> allowed to travel within the trusted network, why can't it be create an
> /etc/hosts file to provide name resolution in snort?

Name reolution should never go into snort.  That should be taken care of
by something external so it doesn't slow down the snort process.  You
could script something to do that and have it placed into your ACID box's
hosts file.

> 2. If winbind is run on the ACID(MySQL) server will resolving Windows
> User names put such a burden on the ACID(MySQL) server that it can not
> receive information from snort?

You don't have to have your MySQL box the same as your ACID box.  If you
have a standalone ACID box, it shouldn't be too much effort.  If you have
it all on one box, you might want to test it on a small page before
setting it up in production.  Either way you're setup, you'd want to cache
the data in some fashion.

> ACID has a great schema however the tool is very limiting and does not

[...snip...]

> professional network security analysts. Will acid evolve into this tool?

[I've broken my ACID box, so I can't verify for sure.]

The first report could be generated from the Search section.  Define the
port and the net, run the search, and it should provide what you want.

As for the evolution of ACID, that's one better answered by Roman.  :)

> Conversely, at the low end and for wide deployments where there are no
> professional network security analysts.  One needs what I call a trained
> monkey IDS alert station with christmas tree lights. Basically this
> consists of a table with cells or a tree with branches that turns green,
> yellow, and red depending on the serverity and number of network events.
> The user clicks on a light, a description of the event pops up with the
> source address, the port, and destination network. I don't know what
> type of ids alert tool -i.e. professional or trained monkey- should be
> included in snort. I will tell you that there are many organizations
> that bought earlier versions of ISS and figured it is a GUI so we don't
> need a qualified person to run it. ISS was basically brain dead back
> then - i.e. no packet dumps- so you either went brain dead trying to run
> it or just ignored it.

Nothing that I know of does that 'Out of the Box.'  You could beat
NetCool, Tivoli or OpenView into submission to do that.  There are some
packages that do that, but they are the Intellectual Property of several
MSS companies--So we'll never see them unless someone feels generous.

> Lastly and although this was not mentioned in the reviews, there is a
> big push to combine alerts/denials from all network security devices
> i.e. routers, firewalls, and IDS's. Meaning that at some point in time
> logsnorter may have to become part of the basic snort package.

Yes, there is a push for that.  You could again use something like Netcool
for that.

As for it becoming part of the basic snort package...  I don't really
think it should be.  Snort should snort packets, not datamining and
correlations.  I think that something external such as ACID or Sourcefire
Mangement Console would be better.  That would allow updates to the
induvidual parts, w/o waiting for 'the other one' to be done.

> In conclusion, it is my opinion that commercial customers want no
> brainer solutions because either they don't have or can not afford
> professional network security analysts.

Yep. And that's why those folks keep Security Consultants in business.
;-)

> This is the customer the trade magazine and journals are writing for.
> This means that I hope snort becomes an network detection system
> composed of an engine, management console, and alert station to insulate
> the untrained security analyst while providing the tools that the
> professional analyst needs to be productive.

Snort already has that.  :)

> However, until snort becomes a no brainer the reviews will continue to
> portray snort as the cinderella of IDS's. The problem with bad press is
> that some managers don't know enough to objectively decide on what
> solution is best for the organization and proprietary vendors in their
> sales pitch will say that snort is too difficult to configure and our
> product won an A+ from .... magazine.

I'm real curious as to which articles you were reading.  The ones that
I've seen tend to rate Snort very well.  I haven't seen one bit of bad
press.  But then again, I might be reading the wrong articles! :)


> I appologize for this
> distracting email.

Naaa...  Don't worry about it.  It gave me something to do for 30 minutes.
;-)

> I just get the sense that everyone is so wrapped in the technology that
> we forget that everyone is not like the users on snort-users.

Hrmmmm...  I don't know about being wrapped up in technology, but snort
isn't rocket science.  You just have to understand some key concepts to
use it or to make sense of it.

And as for the users on snort-users, there are quite a few (~3600 last
time I heard) with a range of 'types'.  We've got the "I haven't even
looked at the manual, and I want someone else to do this for me" all the
way up to "I'm the Snort _GOD_!  All show bow down before my _MASSIVE_
Snort FOO!"  :)

> That is why no one asked the question why snort is always reviewed with
> a negative spin, i.e. Snort it is great, but...

Again, I've not read that or heard it.  I'd love to read those negative
articles if you still have links for them.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net






More information about the Snort-users mailing list