This sort of facility could be built into Snort relatively easily with
by using the plugin interface to code up modules to do whatever you want
and then report back to the user. The plugin "API" gives the plugin
author access to the decoded packet stream and then lets them examine
and manipulate the packet data any way they desire before handing it off
to the detection module. Once it's gone through the detection engine,
the output stage (in version 1.6) allows the use of output plugins so
that the results can be reported in any manner that the author desires.
As you can see, Snort provides the motivated programmer a number of ways
to manipulate and examine the raw data stream from the wire and then
report its findings. Not bad for free.... :)
-Marty
Dragos Ruiu wrote:
>
> On Mon, 07 Feb 2000, Richard Sharpe wrote:
> > With a packed decode engine that is decoupled from display, a la dencode as
> > I proposed some time ago, and have made some progress on, one could build a
> > simple expert system that could do some automatic fault diagnosis by
> > looking for patterns of packets etc ...
> >
> Sounds kinda like an IDS... the "snort" guys are up to good things in that
> area... much more flexible rule writing and responses. Go Marty!
>
> HP calls this feature "commentators" on their Internet Advisor expert system.
> Essentially rule checks triggered off decodes... that comment on network
> events and critical faults observed. Which is essentially what snort tries to
> do in real-time.
>
> I would love to do something... maybe like Max Vision's arachnids database,
> that is a public database of good troubleshooting heuristics... network states
> that led to diagnosing a problem... so that it can be automated.and be extended
> beyond simple intrusion detection to over all network health and integrity.
> If anyone has any of these I would be glad to try to code them as snort rules
> or ethereal output processing. So submit your problem stories/solutions here...
> I'll publicly post the derived info. If I get a couple or enough to build some
> critical mass, I'll build a web page for it at dursec.
>
> The idea would be to learn from others experience and try to automate
> that experience into software. Though I advise realism... there have been
> a lot of people chasing this AI troubleshooter grail for quite a while now
> and it's proven more elusive than anyone has liked. The magic that eludes
> is the technical experience....but this is one area where the open source
> model has numerous advantages in.
>
> --
> dursec.com / kyx.net - we're from the future http://www.dursec.com
> learn kanga-foo from security experts: CanSecWest - April 19-21 Vancouver
>
> Speakers: Ron Gula/NSW, Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org,
> RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com
--
Martin Roesch <roesch@xxxxxxxxxxxxxx>
Director of Forensic Systems http://www.hiverworld.com
Hiverworld, Inc. Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment