Auto magically building active host lists and ports...your thoughts ?

["Sean Wheeler" <s.wheeler () shiver gotdns org>]

hi,


I have been playing around with having the active hosts and their related
ports on the monitored network being auto magically identified.
The idea being during setup to take out the tediousness of setting up the
active hosts and services and the relevant rules and/or improving the
reporting capability
( Get this all done before you activate any rules )

tools used : arpwatch & nwatch

Process :

Using arpwatch build a list of MAC to IP pairs ( nicely limited to the
monitored network by using arp), I presently have a script which parses this
output file and places those entries in the database.

I then have a script which parses the entries from the DB table and sets up
nwatch to passively monitor active tcp ports aka services running on the
hosts within the DB table.

Flow bascially looks like :
arpwatch -> DB Hosts -> nwatch -> DB Ports

In the end I have a list of active hosts detected by arpwatch on the
monitored network ( no need to scan for production systems or worry about
needing an IP address on that interface. I also have a list of active tcp
ports which corrosponde to the detected active hosts on the monitored
network ( again doing this passively does not require IP address nor active
scanning against production systems).


Thoughts :

1)This process will build only active hosts on the monitored segment ( so
attacks destined into this network will be monitored.)
2)It does NOT build a list of hosts which are accessed with src
monitored_net -> dst DMZ2 ( webserver_monitored_net ->
DB_server_in_other_net ) as this list is based on local arp traffic. (
ouchie...would be good to have also auto magically or added manually via
frontend)

Next steps :

Now that I have a list of ports related to specific hosts I can map the
application to that port( port 80 -> IIS or Apache ).
Build a mapping of rule_ids  -> OS/Application.

Conclusion :

1) By taking out 95% of the inital setup, it would be possible to pair up
the active Hosts/Ports with relevant rules.
        main benefit -> alerts specific to relevent hosts
2) Failing this, leave the rules relevant to a Network & not an IP address
list ( but use the mapping in reporting)
        Reporting can :
                Differenciate automated attacks vs manual attacks or indescriminate vs
focussed attacks


Your Thoughts :

Have I over looked something in my eagerness to get cracking on the
technical proof-of-concept ?
Are there flaws in this approach which can be rectified.
What limitations do you see ?
Did you come up with a mind blowing idea while eyeballing the above ? ( erm
"Yes" and I dun wanna tell you..not what I am looking for :) )

regards

Sean

Open Source < Open Thought



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users