Process Events from Snort
Results 1 to 3 of 3

Thread: Process Events from Snort

  1. #1
    Senior Member
    Join Date
    Aug 2002
    Posts
    651

    Process Events from Snort

    This sounds like a nifty little tool. Has anyone tried it out yet or heard anything? I don't have an installation of Snort that I could use to test. Sounds like a project for me, if I can ever get the time...

    incident.pl v2.6
    Opinions are like holes - everybody\'s got\'em.

    Smile

  2. #2
    Member
    Join Date
    Feb 2003
    Posts
    35
    There are definate flaws on this proggy in my opinion.

    1) It scans your syslog file for a number of occurances of the same ip. As the README says, this primarily works to find portscans. The author even states that "all of the attacks I've seen, portscans are pretty much 99% of them."

    This is a problem because 1) what if your IDS is behind a NATted firewall 2) what if you do not log to syslog 3) it really is geared towards finding script kiddies who rely on hastily footprinting an org with a port or vunerability scanner. 4) What if the scan comes from a comprimised box (which is reported to the ISP by the software) but the real attack comes from another box? 5) To be really useful you should be able to specify which snort sigs it will or will not trigger on. The alerts should be generated on severity of the attack, not the frequency of it.

    Though the concept of this software is good, it isn't really there yet. As far as I can tell, this tool is really meant to catch nmap users.

  3. #3
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Acid is a php web app that allows easy sorting and reading of all snort logs, it is reccommened to run with snort as well as Webmin another php web app for administering a linux box via a web server. I use both with no problems just make sure security concerns are addressed for your web server.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides