Jumat, 28 November 2003

Snort Add-Ons

07.46    2 comments

Over the last few days I've reviewed several add-ons for Snort. First, everyone using Snort knows about Barnyard. Barnyard processes the output from the spo_unified plugin, which Marty first described in June 2001. spo-unified creates two log files.

To paraphrase Marty, the alert file contains event data (generator, sid, rev, classification, priority, event_reference), timestamp, source IP, destination IP, source port, destination port, protocol, and TCP flags (if applicable). The log file contains the event data, flags that indicate the nature of the stored packet (reassembled fragment, etc.) and the raw binary packet.

Barnyard reads unified output and sends the results to other plugins. In most cases those are database plugins.

MudPit is an alternative to Barnyard. Mudpit was written to overcome the fact that receiving either alert or log data can be insufficient to validate an event, but receiving both simultaneously is wasteful.

At the Sguil project we use our own version of unified output with a modified Barnyard process and new database schema.

Dragos Ruiu wrote Cerebus to read unified output and displays the results in a text-based GUI.

I learned today via this post of the Fast LOgging Project for Snort (Freshmeat site). FLoP doesn't use unified logging at all. It sends Snort output via UNIX domain sockets.

On a slightly different note, I've noticed a few more ambitious projects. For several years CERT has maintained the AirCERT project as a means to share alert data among sensors. I read about the Open Source Security Information Management (OSSIM), Monitoring, Intrusion Detection, Administration System (MIDAS), and Crusoe IDS (announced here) projects, which each bring together data from multiple tools to improve event detection. This is different from Sguil's approach, where we let Snort provide alert data and we provide context using sessions, full content, and eventually statistical data. I know of at least one vendor, Endace, who sells a product featuring data from multiple open source tools.

2 komentar:

  1. PacutotoIDN9 Januari 2020 pukul 22.57

    Bandar Darat Agen Togel Online Terpercaya dan Casino Online

    Dengan Deposit minimal deposit 5000 anda sudah bisa bermain togel online dan casino online di pacutoto

    buka tutup pasaran togel online paling lama
    Sydney pools : 13.25 WIB
    Singapore pools : 17.25 WIB
    Hongkong Pools : 22.30 WIB
    Kohrong pools : 10.00 WIB
    Sentosa Pools : 15.00 WIB
    Bolovia Pools : 12.30 WIB

    Dengan diskon dan hadiah tertinggi

    4d = 66% x 3000
    3d = 59% x 400
    2d = 29% x 70

    BalasHapus
  2. SILVIA CHANDRA13 Januari 2020 pukul 16.04

    SITUS KASTILPOKER ADALAH SITUS POKER ONLINE AMAN & TERPERCAYA
    ☑Bonus new member sebesar 30%
    ☑Bonus deposit setiap harinya 10%
    ☑Bonus Referral & Rakeback 16.7%
    ☑Bonus Capai TO harian
    ☑Bonus Rakeback Bulanan
    ☑Bonus Vaganza
    ☑7 Permainan Populer
    MODAL 5000 SUDAH BISA MAIN YA
    BURUAN GABUNG DAFTAR DAN MAIN
    LINK : https://v.gd/MM9Rg9
    ADMIN : +855964035192

    BalasHapus

Langganan: Posting Komentar (Atom)