The Snorby virtual appliance provides a preconfigured out of the box Snorby front-end  for snort, the popular intrusion detection system . The Snorby interface is  developed by Dustin Webber. This appliance is indicated for security professionals with a depth knowledge of intrusion detection and security  monitoring.  Nevertheless beginners can use the appliance to to understand and learn about intrusion detection and network security.

Click here for notes and download

Near Real-Time Detection (Razorback) is the result of extensive research into detection of attacks hidden inside numerous layers of compression, obfuscation, and evasion techniques across multiple file formats. Razorback in its current form is a plugin to the Snort detection engine. Razorback addresses the issues with file format parsing by separating selected file types from transmitted data, which are then passed to additional detection engines either on local or distributed remote system(s). The intention is for the system to be extensible and not necessarily be a plugin for Snort.

Future development plans include providing Snort with automatic detection rule updates that an IPS deployment of Snort can use to protect the private network along with further enhancements aimed at data leak prevention. The system will also use templates to describe file types and a simple rule language to detect attacks.

Click here for code and presentation

NST v1.8.1 has been Released. This version includes many enhancements to the NST WUI (Web-Based front-end) to Snort IDS supporting multiple network interface sensors for the detection of security threat incidents. Also included is a Snort IDS Collector - A back-end MySQL Database configured for the storage of Snort IDS security threat incidents in support of an enterprise wide federation of Snort IDS sensors. See the NST home page: http://www.networksecuritytoolkit.org for further information about this NST release.

Snort Management Reports is a configurable reporting application that can be run against any Snortâ„¢ compliant database to analyse and report the result of the analysis in a Portable Document Format (PDF) report. Snortâ„¢ as an Open Source Intrusion Detection and Prevention System now benefits from a high quality Management reporting tool. Alert Management Reports is a robust and configurable reporting solution that can provide a strategic view of your companies security performance.

Alert Management Reports can either draw a high level statistical overview of your incident database or can be configured to do a detailed analysis of your security traffic for each day of the report period. This flexibility allows the administrator to use the report to measure weekly performance and by tracking the variance on the data in the report, can alert you to any anomalous activity that needs deeper investigation. This allows you to use Management Reports as a security dashboard to keep an eye on your security posture and to investigate in more detail if any anomaly is detected. The application can be configured to include any of a range of specific types of data ranging from graphs of events vs. time to summarised and/or detail listings of IP and port numbers of alerts packets.

Alert Management Reports can easily be extended to provide answers to questions that are of specific interest to your organisation. These queries can be anything ranging from custom views of data returned by existing queries to complex data mining operations on historical data.

Please download a sample report from our product documentation section.

You can download the product as a tar.gz file and install it or you can download our debianized packages. Click here to read the product installation readme.

You can download the product from here.

Check out this great site that collects and shares open source security tools for the enterprise, tools howtos and experiences, articles, etc.

http://seepurity.com/

Via Brian Caswell …

The fastest full detail output for Snort “unified logs”, which were meant to unify packet and event logs into a single binary file format. Along the way, someone (cough, Marty, cough) forgot the definition of “unified”. There are two seperate file formats, unified logs and unified alerts. The great part about “unified” files is that they they are host-byte-order dependant!

If you want to read unified files, you have a few options.

• Barnyard, an unmaintained unified file reader.
• Mudpit, an unmaintained unified file reader.
• Cerebus, an unmaintained, binary only text based event reader.
• SnortUnified.pm, a sort-of OOP perl API for unified files (Don’t attempt to read multiple files at once!)

Or… unified.rb, a tiny ruby API for reading unified files.

http://www.shmoo.com/~bmc/software/ruby/unified.rb

DaemonLogger 0.9 has been released. The newest version has several new features including:
1) Support for dropping privileges at startup has been added.
2) DaemonLogger supports reading packets from pcap files instead of the network now. Those pcap files can be filtered for output back to the disk using BPF filters or they can be retransmitted on wire using the soft tap mode.
3) Support for chrooting at startup has been added.

daemonlogger-0.9.tar.gz

Articles on using daemonlogger:

TaoSecurity

Geek00l

Sourcefire, the security firm that oversees the open source intrusion-detection system software, Snort, is making available another open source tool for network traffic logging.

The tool, called Daemonlogger, is a packet sniffer that can passively capture network traffic logs and write them to disk in PCAP format. Sourcefire said Daemonlogger is being licensed under the GNU General Public License Version 2, under which anyone may access, modify and redistribute the Daemonlogger source code so that users can share enhancements and new features with other network professionals.Martin Roesch, CTO of Sourcefire and the originator of Snort IDS, said open source Daemonlogger is intended to be a “handy and easy-to-use tool.� Sourcefire indicated Daemonlogger is offered as an alternative to proprietary products for logging and storing network traffic that are needed to meet with a growing number of regulatory requirements.

Did you think that in order to accomplish Network Access Control and Host Quarantining on your network we have to shell out hundred of thousands of dollars?

Think twice. There are two project based on Snort and Nessus that implement NAC with Open Source tools.

The first is PacketFence . PacketFence is an open-source package that provides network access control (NAC). Deployed in academic networks around the world, PacketFence is reliable, extremely configurable, and built upon unmodified open-source code (Fedora, LAMP, Perl, and Snort). It provides for a web-based captive portal for registration, it scans for vulnerabilities with Nessus, it detects malware activity in the network with Snort. It also quarantines infected hosts via controlled ARP poisoning of the Switch via SNMP and DHCP manipulation.

Click here for a good detailed overview.

The second open source product is NetPass . The concept of NAC is the same but the quarantining is accomplished through separate VLAN assignment (via SNMP as well) and through DNS manipulation.

I would personally recommend this open source tools as they are ready for enterprise deployment.

IT managers who want to get a handle on their security logs but don’t have the budget for big-ticket software can check out an updated version of the open source, host-based intrusion-detection system OSSEC.

OSSEC Version 1.1 performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. Daniel Cid, lead developer and author of OSSEC, says the software is both an IDS as well as a log analysis and correlation tool, similar to products in the security event management market.
Cid this week made available Version 1.1, which he says adds features such as e-mail alerting, advanced log analysis and an active reponse mechanism to thwart attackers. This version includes “more advanced log-analysis rules for improved correlation and analysis,” as well as new active response features that use “route null” to block detected attackers, he says.

OSSEC uses a client/server model with server software at a central location and distributed agent technology on managed devices. The software monitors file and directory modifications, provides accountability by storing authentication information, and triggers user alerts on failed authentication or questionable user additions.
The software runs on most operating systems, including Linux, OpenBSD, MacOS, Solaris and Windows. Users install the software on a server and then the agent is deployed on client machines using a Windows installation wizard.
“It has a centralized architecture, allowing one central server to manage and monitor the logs and integrity data from multiple agents,” Cid explains. “The server/agent communication is encrypted/compressed so it saves a lot of bandwidth and keeps the privacy of the log data in transit.”

The software also allows a local installation for users that are not interested in the server/agent architecture or just have one system to monitor. This release also adds support for Microsoft IIS 6, Cisco VPN concentrator, Cisco PIX VPN AAA, Cisco FWSM and Solaris 10 logs.

OSSEC Version 1.1 is available free for download under the GNU General Public License. It can be found here.

« Previous entries