Snort event visualizations using Google Earth

Thu, 19 Mar 2009 16:15:49 -0400

Leon Ward of Sourcefire has released a perl script that will parse Snort alert files or Sourcefire CSV events reports for use with Google Earth.

I like it, thought it would be useful to a few people and asked him if I could post it here. He has agreed and thusly, you can find it here in the file archives.

A screenshot of the mapping.

Leon has written about it here

The latest non sequitur

Wed, 31 Dec 2008 10:58:24 -0500

I came across an article on O'REILLY here where John Viega asserts that most companies shouldn't run IPS. It motivated me to comment and thusly here is my analysis of the article, an elegantly worded non sequitur IMHO.

The conclusion is that IPS is good for the "big guys" but not the rest (the little guys?) because it is too much work. This conclusion comes from a hypothetical position that 30K in opportunity cost is wasted effort and never results in any security or benefit. This conclusion simply cannot follow the premise. Lets dig deeper into the details and see if this bears out.

- Install Snort on a system passively monitoring you network. (2 hours)
- Install BASE and barnyard. (2 hours)
- Buy a VRT subscription ($500)
- Install automated rules updates. (2 hours)
- Initially tune the system. (40 hours)

To get up and running, using generous time estimates, we are at 46 hours investment. Using 250 days @ 2.5 hours a day for 100 man days to get to 30K we have an investment of $300 a day. 5.75 man days @ $300 a day is $1,725.

$1725 - Investment to start securing your network.

Keeping the 2.5 hours a day review resulting in 30K in burden we have a total investment in security of $31,725/yr assuming upgrades and upkeep at the same level of effort as installation.

What does this buy you?

- One prevented data loss as a result of compromise?
- One weekend for 2 people rebuilding 40 machines?
- One birthday with your daughter?
- One anniversary?
- One averted PCI failure resulting in a 30 day loss of credit card processing?
- One averted announcement of customer data stolen?
- One customer list not in the hands of the competition?
- One confidential document not lost breaching contract?
- One payroll database not compromised and employees identity saved?
- One blocked attack to the mail server you forgot to patch because you were in a rush to get to your daughters birthday party, resulting in porn spam to everyone in your contact list?
- One state contract won because you have security?

The reasons are innumerable to have IPS and to ignore all of them as wasted effort is dubious. To then state that that it doesn't make sense to spend $31,725 to secure a business and network supporting the families of 40 people is shocking. What should we be willing to pay to do the minimum to ensure that the lives of our 40 employees are minimally disrupted because of criminal greed?

All of this of course assumes that you are trying to solve the problem on the cheap (which is demonstrably not cheap at all as seen above) and not using a commercial solution like the Sourcefire3D system which was specifically designed to solve many of these management "problems and costs" by bringing intelligence and automation to the table. When you have a system that knows about your network, users, and attacks you get an output that is an assessment of the relevance of the attack. This reduces your daily analysis minimally by 80% resulting in $6000/yr burden as opposed to the $30,000/yr asserted above. To purchase the 3D system to protect a network of 40 employees on a DSL line would cost of $21,417 before any applicable discounts. That number is certainly more in up front costs but a lot less in ongoing maintenance and annual burden. To me this seems like an easy investment to make considering you will have a best of breed solution protecting your network, the business, the livelihood of your 40 employees and their families, and your intellectual properties.

Fast Flux and DNS Cache Poisoning Detection 0.2

Tue, 2 Sep 2008 09:59:08 -0400

On the heels of Ben Feinstein at SecureWorks doing his Defcon presentation and releasing his code to the community we have Scott Cambell @ LBL releasing a DNS Fast Flux preprocessor based on the DNS preprocessor code. Check it out here

Based on the description this looks like it could be very useful for the malware / phishing / bot hunting community. Kudos to Scott for taking the time and implementing an idea and then releasing it to the community.

Jason B.

Snort event visualizations using Google Earth

The latest non sequitur

Fast Flux and DNS Cache Poisoning Detection 0.2