May 24th, 2003, 05:41 AM
Process Events from Snort
This sounds like a nifty little tool. Has anyone tried it out yet or heard anything? I don't have an installation of Snort that I could use to test. Sounds like a project for me, if I can ever get the time...
Opinions are like
holes - everybody\'s got\'em.
May 26th, 2003, 05:27 PM
There are definate flaws on this proggy in my opinion.
1) It scans your syslog file for a number of occurances of the same ip. As the README says, this primarily works to find portscans. The author even states that "all of the attacks I've seen, portscans are pretty much 99% of them."
This is a problem because 1) what if your IDS is behind a NATted firewall 2) what if you do not log to syslog 3) it really is geared towards finding script kiddies who rely on hastily footprinting an org with a port or vunerability scanner. 4) What if the scan comes from a comprimised box (which is reported to the ISP by the software) but the real attack comes from another box? 5) To be really useful you should be able to specify which snort sigs it will or will not trigger on. The alerts should be generated on severity of the attack, not the frequency of it.
Though the concept of this software is good, it isn't really there yet. As far as I can tell, this tool is really meant to catch nmap users.
May 27th, 2003, 12:17 AM
Acid is a php web app that allows easy sorting and reading of all snort logs, it is reccommened to run with snort as well as Webmin another php web app for administering a linux box via a web server. I use both with no problems just make sure security concerns are addressed for your web server.
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier