argus and snort ?

Peter Van Epp vanepp at sfu.ca
Mon Sep 11 21:02:13 EDT 2000


> 
> 
> On Mon, 11 Sep 2000 19:40:51 -0400 Carter Bullard <carter at qosient.com> 
> wrote:
> 
> > 
> > So what is snort doing for you guys that is helping?
> > Is there some nugget of goodness that we can add to
> > argus that will give the same info?
> > 
> 
> I have been running snort for about two weeks.  I have spent a lot of 
> time trimming out rules with high false +ve rates -- I've dumped most 
> of the web and mail stuff.  
> 
> During that time snort did pick up two attempts to expliot the sgi 
> Telnet bug -- one of these was successful (I wonder how many there 
> were before I got snort up). In this case I was able to get hold of the 
> administrator and he quickly confirmed the box was 'r00ted'.  We would 
> have not found out until the attackers did something obvious with the 
> box in question without snort or something similiar (or a much tighter 
> system administration precedures -- the clues were there when they 
> looked i.e no SYSLOG :( ).
<snip>

	From my point of view snort's advantage would be (when I get around to
seeing how poorly it does on my link) and NFR and Dragon which I'm supposed
to be evaling is that they look for attacks in the full decoded data stream.
	To me as Russell says thats a different job than argus does at present,
and I wouldn't stop running argus if I do choose to also run snort, NFR or
Dragon because the latter 3 don't keep a record of everything on my net (as
argus does) but only things they see as attacks. I'm currently unconvinced
that they are going to be able to do a better job than argus however (nor 
reduce the amount of my time required which is my boss's great hope for the 
"AI" engines (which are really attack pattern matchers) in the commercial
products but they might do enough to be useful in addition to argus to keep
watch on the entire data stream (they have no chance of replaceing argus as 
far as I'm concerned).
	As to Russell's attack, in my case one of the things I do on a semi
regular basis is dump out all the telnets inbound to our machines. A sudden
change in the traffic pattern (as in half the Internet suddenly connecting,
or as little as one offsite connection to a machine that hasn't had one before)
gets a query to the administrator. A number of times that has indicated a 
breakin, and sometimes it is expected. The other more usual of late trigger
point is traffic. The last bunch of incidents (including two root breaches)
were used to either host Eggdrop on IRC for data transfer or 
Gnuella/napster/ftp for file transfer and thus got noticed and stopped.
	This of course (when I get time :-)) needs to be automated. One thought
is having a web page that classifies telnet, ssh, ftp and any other service
I can think of sorted by machine/subnet and served from a secure web server
(oxymoron alert!) with password protection that the admins of the machines
can access and look at who has been connecting to their machines. They are in 
a much better place to identify an unusual access (and of course under such
a senario if I find it, their network connection gets disconnected to give
them some incentive to check the web page). It would also make me looking
for strange things easier. Sometime I'll get time ...
	Assuming I can get by the privacy issues another interesting snort 
application (which argus could, modulo performance issues also do) is look for
prompts of the nature "#" in the full data stream and pick out file names for
ftp and http (.mp3 would be one red flagger here). I'm not sure that this will
be acceptable from a privacy standpoint, but network charging may make it 
manditory (with big pipes with traffic charges, a gnuella server can become
a signifigant cost).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the argus mailing list