Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Development » Implement new signature information fields for total event correlation.

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Implement new signature information fields for total event correlation.


Posted by r00ster on September 22, 2005 06:55:41


I've been kicking this idea around for some time, and it's time to bring it to the experts. In addition to Snort, I use Nessus, and Inprotect along with many other open source tools. Putting all the data together is sometimes cumbersome and time consuming. There are commercial tools that bring all this data together, and I believe the brain power of the people on this list can rival ANY commercial product. I would like the group to consider adding a field to the rules that would identify the OS(es) for that signature. I understand that this would also impact the snort database, and other dependant tools, but the data would be helpful. With the OS readily ID'ed, it would help filter out many false-positives for your environment. I understand that some signatures are OS agnostic, but many are OS specific at least to the point of *nix or Windows. So taking a mental test-drive, BASE comes up with an alert, you drill down and see that the signature is for FreeBSD, but the box it is hitting is W2003. You know it to be W2003, because in the BASE GUI, it arrives that it is based on the last automated Nessus scan that was performed. Continuing with this idea, BASE also allows you to look at the IIS logs on that target W2003 machine, by querying the data that Snare has provided. Going further, Oinkmaster knows to disable all signatures that have OSID=7 (FreeBSD) because you have none in house. Granted, I see the potential problems that would arise by automation without human intervention, but I think that can be overcome. I have a sinking suspicion that I will be ridiculed by some in the group for not going through my rules and doing the work manually, but, with most of us, time is precious, and hard to come by.

I know that this forum is not the place to add suggestions for BASE, Inprotect, and Snare, but getting one interface going that will query the combined data would be extremely useful. If a tool that correlates all of the data that many, if not all, of us sift through is already available in an Open Source application, sign me up.

Posted by Joel_Esler on September 22, 2005 13:10:52

Actually a really good idea.

Please email your idea to roesch [at] sourcefire [dot] com.

Joel Esler
SOURCEfire
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.