[vox] Snort / Acid talk, May 14 at SacLUG

Bill Kendrick vox@lists.lugod.org
Tue, 15 Apr 2003 22:19:04 -0700


----- Forwarded message from Brian Lavender <brian@brie.com> -----

Date: Tue, 15 Apr 2003 21:32:04 -0700
From: Brian Lavender <brian@brie.com>
Subject: [Lug-Nuts] Snort / Acid talk, May 14
To: Lug Nuts <lug-nuts@saclug.org>
Reply-To: lug-nuts@saclug.org

Next SacLUG meeting for May.

Patrick Southcott will do our next talk on May 14.

When: May 14, 7 - 9pm
Where: Exit Certified
Who: Patrick Southcott
What: Snort and Acid

I will paste below what Patrick sent me. I am sure
he will answer questions. I'll get the website
updated as shortly.

brian

...some cut-n-paste to describe the idea.

--------------------[http://www.snort.org/about.html]
What is Snort?
Snort is an open source network intrusion detection
system, capable of performing real-time traffic
analysis and packet logging on IP networks. It can
perform protocol analysis, content searching/matching
and can be used to detect a variety of attacks and
probes, such as buffer overflows, stealth port scans,
CGI attacks, SMB probes, OS fingerprinting attempts,
and much more. 

[http://www.freeos.com/articles/3496/]
"Snort is a versatile, lightweight and very useful
intrusion detection system."

[http://freeos.com/articles/3404/]
"There are various Intrusion Detection Systems
available out there, to name a few good ones, Tripwire
and Snort...
The use of an IDS along with a Firewall provides an
effective baseline level of security"

[http://www.snort.org/docs/faq.html]
3.1 --faq-- --snort-- --faq-- --snort--
Q: How do I setup snort on a 'stealth' interface?
A: Bring up the interface without an IP address on it.
A: Use an ethernet tap, or build your own
'receive-only' ethernet cable.    
   Basically, 1 and 2 on the sniffer side are
connected, 3 and 6    straight through to the LAN. 1
and 2 on the LAN side connect to 3 and    6
respectively. This fakes a link on both ends but only
allows    traffic from the LAN to the sniffer. It also
causes the 'incoming'    traffic to be sent back to
the LAN, so this cable only works well on    a hub.

------------------------------------------------------
[http://is-it-true.org/fw/fwtips6.shtml]
[http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html]
What is ACID?
Analysis Console for Intrusion Databases (ACID) 
The Analysis Console for Intrusion Databases (ACID) is
a PHP-based analysis engine to search and process a
database of security events generated by various
IDSes, firewalls, and network monitoring tools. The
features currently include: 

- Query-builder and search interface for finding
alerts matching on alert meta information (e.g.
signature, detection time) as well as the underlying
network evidence (e.g. source/destination address,
ports, payload, or flags). 
- Packet viewer (decoder) will graphically display the
layer-3 and layer-4 packet information of logged
alerts 
- Alert management by providing constructs to
logically group alerts to create incidents (alert
groups), deleting the handled alerts or false
positives, exporting to email for collaboration, or
archiving of alerts to transfer them between alert
databases. 
- Chart and statistics generation based on time,
sensor, signature, protocol, IP address, TCP/UDP
ports, or classification
------------------------------------------------------

-patrick


-- 
Brian Lavender
http://www.brie.com/brian/
_______________________________________________
lug-nuts mailing list
lug-nuts@saclug.org
http://www.saclug.org/mailman/listinfo/lug-nuts

----- End forwarded message -----

-- 
bill@newbreedsoftware.com                                            Hire me!
http://newbreedsoftware.com/bill/    http://newbreedsoftware.com/bill/resume/