http://web.me.com/vrybdpkt/Site/Blog/Blog.html Good Day. Welcome to my snort.org home. I’ll post things I am playing with here and discuss general security stuff. iWeb 3.0.1 http://web.me.com/vrybdpkt/Site/Blog/Blog_files/IMAGE_095.jpg http://web.me.com/vrybdpkt/Site/Blog/Blog.html http://www.snort.org/users/jbrvenik/Site/Blog/Entries/2010/3/16_Using_unified_files_to_populate_google_earth.html 369e4f1b-d48b-4e0d-979a-af8d9caf599a Tue, 16 Mar 2010 11:54:37 -0400 When I published the perl code to process Snort unified files it was my hope that it would enable people to do some useful and cool things with unified files. <br/><br/>Leon Ward has done just that. His SnoGE project now supports unified and unified2 file formats as well as csv and Sourcefire Event Streamer (live feed) formats. <br/><br/>You can get the requisite bits by clicking the links below<br/><br/><a href="http://leonward.wordpress.com/snoge/">SnoGE</a><br/><a href="http://code.google.com/p/snort-unified-perl/">SnortUnified</a><br/><a href="https://support.sourcefire.com/">Sourcefire EStreamer</a> (requires Sourcefire Support login)<br/><br/>As always, if you have any questions we are happy to help, send us a mail or give us a call.<br/><br/>Happy snorting.<br/> http://www.snort.org/users/jbrvenik/Site/Blog/Entries/2009/3/19_Snort_event_visualizations_using_Google_Earth.html d0f6eaba-ade1-4558-ac3f-558250db6650 Thu, 19 Mar 2009 16:15:49 -0400 Leon Ward of Sourcefire has released a perl script that will parse Snort alert files or Sourcefire CSV events reports for use with Google Earth. <br/><br/>I like it, thought it would be useful to a few people and asked him if I could post it here. He has agreed and thusly, <a href="../Archives.html">you can find it here in the file archives</a>.<br/><br/>A screenshot of the mapping.<br/><br/><br/>Leon has written about it <a href="http://leonward.wordpress.com/">here</a><br/> http://www.snort.org/users/jbrvenik/Site/Blog/Entries/2008/12/31_The_latest_non_sequitur.html aad60f77-d79d-4259-a57f-f8b752e91de5 Wed, 31 Dec 2008 10:58:24 -0500 I came across an article on O'REILLY <a href="http://broadcast.oreilly.com/2008/12/why-most-companies-shouldnt-ru.html">here</a> where <a href="http://www.oreillynet.com/pub/au/902">John Viega</a> asserts that most companies shouldn't run IPS. It motivated me to comment and thusly here is my analysis of the article, an elegantly worded non sequitur IMHO.<br/><br/>The conclusion is that IPS is good for the &quot;big guys&quot; but not the rest (the little guys?) because it is too much work. This conclusion comes from a hypothetical position that 30K in opportunity cost is wasted effort and never results in any security or benefit. This conclusion simply cannot follow the premise. Lets dig deeper into the details and see if this bears out.<br/><br/>- Install Snort on a system passively monitoring you network. (2 hours)<br/>- Install BASE and barnyard. (2 hours)<br/>- Buy a VRT subscription ($500)<br/>- Install automated rules updates. (2 hours)<br/>- Initially tune the system. (40 hours)<br/><br/>To get up and running, using generous time estimates, we are at 46 hours investment. Using 250 days @ 2.5 hours a day for 100 man days to get to 30K we have an investment of $300 a day. 5.75 man days @ $300 a day is $1,725.<br/><br/>$1725 - Investment to start securing your network.<br/><br/>Keeping the 2.5 hours a day review resulting in 30K in burden we have a total investment in security of $31,725/yr assuming upgrades and upkeep at the same level of effort as installation.<br/><br/>What does this buy you?<br/><br/>- One prevented data loss as a result of compromise? <br/>- One weekend for 2 people rebuilding 40 machines?<br/>- One birthday with your daughter?<br/>- One anniversary?<br/>- One averted PCI failure resulting in a 30 day loss of credit card processing?<br/>- One averted announcement of customer data stolen?<br/>- One customer list not in the hands of the competition?<br/>- One confidential document not lost breaching contract?<br/>- One payroll database not compromised and employees identity saved?<br/>- One blocked attack to the mail server you forgot to patch because you were in a rush to get to your daughters birthday party, resulting in porn spam to everyone in your contact list?<br/>- One state contract won because you have security?<br/><br/>The reasons are innumerable to have IPS and to ignore all of them as wasted effort is dubious. To then state that that it doesn't make sense to spend $31,725 to secure a business and network supporting the families of 40 people is shocking. What should we be willing to pay to do the minimum to ensure that the lives of our 40 employees are minimally disrupted because of criminal greed?<br/><br/>All of this of course assumes that you are trying to solve the problem on the cheap (which is demonstrably not cheap at all as seen above) and not using a commercial solution like the Sourcefire3D system which was specifically designed to solve many of these management &quot;problems and costs&quot; by bringing intelligence and automation to the table. When you have a system that knows about your network, users, and attacks you get an output that is an assessment of the relevance of the attack. This reduces your daily analysis minimally by 80% resulting in $6000/yr burden as opposed to the $30,000/yr asserted above. To purchase the 3D system to protect a network of 40 employees on a DSL line would cost of $21,417 before any applicable discounts. That number is certainly more in up front costs but a lot less in ongoing maintenance and annual burden. To me this seems like an easy investment to make considering you will have a best of breed solution protecting your network, the business, the livelihood of your 40 employees and their families, and your intellectual properties.