PaulDotCom mailing list archives

Re: IDP/IDS

From: Will Metcalf <william.metcalf () gmail com>
Date: Tue, 14 Sep 2010 15:48:00 -0500

Whatever you do I would make sure that you have the following
complimentary technologies as IDS alerts alone generally don't mean
squat without context surrounding them.

1. Huge rotating Full-Content packet capture (disk space is cheap
these days), from which you can extract info based on IDS events or
via custom BPF's.
2. Flow logging that you will retain for much, much longer than your
Full-Content data.
3. Centralized Logging of OS, Application, FW, logs etc that can be
queried ad hoc. I was broke couldn't even afford splunk so enabled the
OSSEC logall option and wrote a web front end to zgrep that allowed
for stacked queries.
4. Tools to make quick work of the extracted pcap and flow data.
Plenty have been mentioned recently on the list.

If you decide to go the open source route for one or all of these
things.  Here is some info that might be helpful that I cut from a
presentation I did a few months ago.


Full content packet capture..

PF_RING (Make the rest of the apps below go faster)
http://www.ntop.org/PF_RING.html

My Quick look at Zero-Copy BPF for Suricata in FreeBSD 8.
http://node5.blogspot.com/2009/11/very-quick-look-at-zero-copy-bpf-in.html

Wireshark
http://www.wireshark.org/

Daemonlogger
http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html
OpenFPC (looks pretty slick! Haven't played with it yet)

tcpdump (supports setting pcap buff size via -B and uses option
similar to phil woods mmap patch since libpcap 1.0 if kernel supports
it.)
http://www.tcpdump.org/

Flow Logging
Argus
(There are others, but this is the best IMHO.
Good for on-demand stats)
http://www.qosient.com/argus/

Yaf
http://tools.netsa.cert.org/yaf/

Sancp
http://www.metre.net/sancp.html

Tools to use for analysis of full content packet captures.
My dumb little pcap parser (Simply applies user provided bpf to
multiple rotating pcaps.  Uses argus as indexing.)
http://doc.emergingthreats.net/bin/view/Main/PcapParser

Network Miner(windows)
http://networkminer.sourceforge.net/

Xplico(Web interface)
http://www.xplico.org/

Honeysnap(python)
http://www.honeynet.org/project/Honeysnap

ChoasReader(Amazing.. perl, 6 years old, still handy)
http://www.brendangregg.com/chaosreader.html

ngrep(simple string and regex matching for packets)
http://ngrep.sourceforge.net/
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

IDP/IDS Craig Freyman (Sep 13)
- Re: IDP/IDS Bigger Thomas (Sep 13)
- Re: IDP/IDS Carlos Perez (Sep 13)
  - Re: IDP/IDS Juan Cortes (Sep 13)
    - Re: IDP/IDS Albert R. Campa (Sep 13)
- Re: IDP/IDS Mike Patterson (Sep 13)
  - Re: IDP/IDS CP Constantine (Sep 14)
    - Re: IDP/IDS Will Metcalf (Sep 14)