This sounds like a nifty little tool. Has anyone tried it out yet or heard anything? I don't have an installation of Snort that I could use to test. Sounds like a project for me, if I can ever get the time... :rolleyes:
incident.pl v2.6
Printable View
This sounds like a nifty little tool. Has anyone tried it out yet or heard anything? I don't have an installation of Snort that I could use to test. Sounds like a project for me, if I can ever get the time... :rolleyes:
incident.pl v2.6
There are definate flaws on this proggy in my opinion.
1) It scans your syslog file for a number of occurances of the same ip. As the README says, this primarily works to find portscans. The author even states that "all of the attacks I've seen, portscans are pretty much 99% of them."
This is a problem because 1) what if your IDS is behind a NATted firewall 2) what if you do not log to syslog 3) it really is geared towards finding script kiddies who rely on hastily footprinting an org with a port or vunerability scanner. 4) What if the scan comes from a comprimised box (which is reported to the ISP by the software) but the real attack comes from another box? 5) To be really useful you should be able to specify which snort sigs it will or will not trigger on. The alerts should be generated on severity of the attack, not the frequency of it.
Though the concept of this software is good, it isn't really there yet. As far as I can tell, this tool is really meant to catch nmap users.
Acid is a php web app that allows easy sorting and reading of all snort logs, it is reccommened to run with snort as well as Webmin another php web app for administering a linux box via a web server. I use both with no problems just make sure security concerns are addressed for your web server.
-Maestr0