headers
Bamm Visscher | 1 Dec 2005 18:29
Picon

Sguil 0.6.0 Released

Announcing the release of sguil version 0.6.0.

Sguil (pronounced sgweel) is built by network security analysts for
network security analysts. Sguil's main component is an intuitive GUI
that provides realtime events from snort/barnyard. It also includes
other components which facilitate the practice of Network Security
Monitoring and event driven analysis of IDS alerts. The sguil client
is written in tcl/tk and can be run on any operating system that
supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).

Sguil version 0.6.0 contains two significant differences from previous
versions. The first difference is the use of the Mysql MRG_MyISAM
(MERGE) engine for the sancp, event, *hdr, and data tables.  With the
MERGE engine, it is possible to keep hundreds of millions of rows of
data active and online and still be functional (queries to the DB are
reasonably responsive).  The use of MERGE and the associated schema
makes backing up and restoring data amazingly simple and quick. The
UPGRADE text in the sguil-0.6.0/doc directory of the source contains
more detail as well as upgrade instructions.

The second major change was to the sguil output plugin for barnyard
(op_sguil) and the communications structure between the sensors and
sguild. Op_sguil now uses tcl libraries and sends data via localhost
to the sensor's agent.  All communications between the sensor and
sguild now flow thru sensor_agent. This means the mysql libraries are
no longer needed on the sensors. Since barnyard does not need to be
compiled with mysql support, op_sguil (barnyard) and Mysql 4+ may be
used together without any license conflicts.

Other changes include:
(Continue reading)

Permalink | Reply | 10 comments |
headers
Paul Schmehl | 2 Dec 2005 23:08
Favicon

Re: Sguil 0.6.0 Released

Bamm, will this version *require* patching barnyard?  (If it does, I want 
to submit an update to the barnyard port for FreeBSD to patch it when it's 
installed, rather than trying to do it in conjunction with the sguil ports.

--On Thursday, December 01, 2005 10:29:33 -0700 Bamm Visscher 
<bamm.visscher <at> gmail.com> wrote:

> Announcing the release of sguil version 0.6.0.
>
> Sguil (pronounced sgweel) is built by network security analysts for
> network security analysts. Sguil's main component is an intuitive GUI
> that provides realtime events from snort/barnyard. It also includes
> other components which facilitate the practice of Network Security
> Monitoring and event driven analysis of IDS alerts. The sguil client
> is written in tcl/tk and can be run on any operating system that
> supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).
>
> Sguil version 0.6.0 contains two significant differences from previous
> versions. The first difference is the use of the Mysql MRG_MyISAM
> (MERGE) engine for the sancp, event, *hdr, and data tables.  With the
> MERGE engine, it is possible to keep hundreds of millions of rows of
> data active and online and still be functional (queries to the DB are
> reasonably responsive).  The use of MERGE and the associated schema
> makes backing up and restoring data amazingly simple and quick. The
> UPGRADE text in the sguil-0.6.0/doc directory of the source contains
> more detail as well as upgrade instructions.
>
> The second major change was to the sguil output plugin for barnyard
> (op_sguil) and the communications structure between the sensors and
> sguild. Op_sguil now uses tcl libraries and sends data via localhost
(Continue reading)

Permalink | Reply | 5 comments |
headers
Bamm Visscher | 2 Dec 2005 23:15
Picon

Re: [Snort-users] Sguil 0.6.0 Released

Yes, until barnyard is released with the new op_sguil, it will require
patching. I need to get a hold of Andrew and see iwhat we can do.

Bammkkkk

On 12/2/05, Paul Schmehl <pauls@...> wrote:
> Bamm, will this version *require* patching barnyard?  (If it does, I want
> to submit an update to the barnyard port for FreeBSD to patch it when it's
> installed, rather than trying to do it in conjunction with the sguil ports.
>
> --On Thursday, December 01, 2005 10:29:33 -0700 Bamm Visscher
> <bamm.visscher@...> wrote:
>
> > Announcing the release of sguil version 0.6.0.
> >
> > Sguil (pronounced sgweel) is built by network security analysts for
> > network security analysts. Sguil's main component is an intuitive GUI
> > that provides realtime events from snort/barnyard. It also includes
> > other components which facilitate the practice of Network Security
> > Monitoring and event driven analysis of IDS alerts. The sguil client
> > is written in tcl/tk and can be run on any operating system that
> > supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).
> >
> > Sguil version 0.6.0 contains two significant differences from previous
> > versions. The first difference is the use of the Mysql MRG_MyISAM
> > (MERGE) engine for the sancp, event, *hdr, and data tables.  With the
> > MERGE engine, it is possible to keep hundreds of millions of rows of
> > data active and online and still be functional (queries to the DB are
> > reasonably responsive).  The use of MERGE and the associated schema
> > makes backing up and restoring data amazingly simple and quick. The
(Continue reading)

Permalink | Reply | 3 comments |
headers
Paul Schmehl | 3 Dec 2005 00:31
Favicon

Re: [Snort-users] Sguil 0.6.0 Released

OK.  In the meantime, I can patch barnyard by fetching the squil port, 
extracting the patches for barnyard from it and applying them to barnyard 
before the build.

I'll take a look at it this weekend.

--On Friday, December 02, 2005 15:15:33 -0700 Bamm Visscher 
<bamm.visscher@...> wrote:

> Yes, until barnyard is released with the new op_sguil, it will require
> patching. I need to get a hold of Andrew and see iwhat we can do.
>
> Bammkkkk
>
> On 12/2/05, Paul Schmehl <pauls@...> wrote:
>> Bamm, will this version *require* patching barnyard?  (If it does, I want
>> to submit an update to the barnyard port for FreeBSD to patch it when
>> it's installed, rather than trying to do it in conjunction with the
>> sguil ports.
>>
>> --On Thursday, December 01, 2005 10:29:33 -0700 Bamm Visscher
>> <bamm.visscher@...> wrote:
>>
>> > Announcing the release of sguil version 0.6.0.
>> >
>> > Sguil (pronounced sgweel) is built by network security analysts for
>> > network security analysts. Sguil's main component is an intuitive GUI
>> > that provides realtime events from snort/barnyard. It also includes
>> > other components which facilitate the practice of Network Security
>> > Monitoring and event driven analysis of IDS alerts. The sguil client
(Continue reading)

Permalink | Reply | 0 comments |
headers
Raffael Marty | 5 Dec 2005 06:03
Picon
Gravatar

Tools to Visualize Security Data

[sorry for the crosspost to focus-ids, loganalysis and idug]

I am trying to collect a list of tools and methods that people are using
to visualize security data. What tools are people using? Anything? Or is
everyone still working with textual representations?

Has anyone used afterglow (afterglow.sourceforge.net) and has come up with
some neat ways of visualizing data? Maybe some really cool way of
representing a certain type of log file?

I will start a list on the Web, if I get enough interesting responses.

Thanks
  -raffy

--

-- 
  Raffael Marty, GCIA, CISSP
  Senior Security Engineer  <at>  ArcSight Inc.
Permalink | Reply | 0 comments |
headers
Blake Hartstein | 2 Dec 2005 22:50

Re: IM & P2P packets

As a starting point I would recommend the bleeding snort ruleset 
www.bleedingsnort.com
The primary focus is detection of WHEN p2p and AIM are in use and not by 
WHOM.
You could extend the existing rules to include the user information, and 
some of them may already do the trick.

I suggest looking at the following files to identify the useful information.
bleeding-p2p.rules
bleeding-policy.rules

To start download the entire ruleset, 
http://www.bleedingsnort.com/bleeding.rules.tar.gz.

-Blake

ahmad mubarak wrote:

>hi all
>
>i am new in infoSec field so my boss asked me to give him
>a list of IM and P2P users in our network
>
>i searched the Internet to find any tool to help in this task but no result
>
>so is there any one can help !!! to achieve this task
>
>ideas , tools , procedures will appreciated
>
>
(Continue reading)

Permalink | Reply | 2 comments |
headers
Lachlan Bowes | 3 Dec 2005 08:42

Re: IM & P2P packets

Probably one of the simplest and cheapest things you could do would be
to sniff data on your network for certain ports. All the P2P software
use unique ports, get a list of say the top20 P2P networks and their
ports and you'll probably the get results you're after. 

If you have an IDS you could configure some signatures to alarm on per
port/per session traffic.

Regards,
	Lachlan

On Tue, 2005-11-29 at 08:06 +0300, ahmad mubarak wrote:
> hi all
> 
> i am new in infoSec field so my boss asked me to give him
> a list of IM and P2P users in our network
> 
> i searched the Internet to find any tool to help in this task but no result
> 
> so is there any one can help !!! to achieve this task
> 
> ideas , tools , procedures will appreciated
> 
> 
> thanx
> 
> ------------------------------------------------------------------------
> Test Your IDS
> 
> Is your IDS deployed correctly?
(Continue reading)

Permalink | Reply | 2 comments |
headers
Fco. Jose Garrido Matamoros | 3 Dec 2005 17:52

Re: IM & P2P packets

Hi:
	Look iptables/netfilter + ipp2p module or if you has enough money Allot 
NetEnforcer

-- 
Fco. Jose Garrido Matamoros
Ingeniero Sup. Telecomunicacion

TecVD - Seguridad y Control de Sistemas de Informacion
http://www.tecvd.com

NOTA.- Las tildes de este mensaje han sido omitidas expresamente para evitar 
cualquier tipo de alteracion en los caracteres del texto.

El Martes, 29 de Noviembre de 2005 06:06, ahmad mubarak escribió:
> hi all
>
> i am new in infoSec field so my boss asked me to give him
> a list of IM and P2P users in our network
>
> i searched the Internet to find any tool to help in this task but no result
>
> so is there any one can help !!! to achieve this task
>
> ideas , tools , procedures will appreciated
>
>
> thanx
>
> ------------------------------------------------------------------------
(Continue reading)

Permalink | Reply | 0 comments |
headers
Joel Esler | 3 Dec 2005 23:50
Picon

Re: Snort rules setup.

I suggest that you don't threshold these alerts.  If you don't want  
to see them at all, suppress them.

These are not "Errors", they are alerts of an Open Port Detection  
through the sfportscan preprocessor.  Check out the documentation on  
both the preprocessor and Suppression in the Snort manual.

You also might want to check out the Snort-Users list.

Joel

On Nov 30, 2005, at 2:13 PM, phunked up! wrote:

> I am trying to get rid of the errors of: "(portscan) Open Port" in my
> Snort logs.  They are filling it up quite fast.  I have put a line in
> the threshold.conf file and enabled that file in the snort.conf file
> but that has done nothing so far.
>
> Setup is Centos/MySQL/Snort/BASE.  Any advice would be much  
> appreciated.
>
> Thanks!
>
> ---------------------------------------------------------------------- 
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Steffen Wendzel | 4 Dec 2005 00:01
Picon

Human-oriented IDS, new Paper+Tool

Hi,

i wrote a new paper about a kind of IDS i call 'Human oriented
IDS' which uses detected differences in users behavior to detect
accounts overtaken by attackers.

You can find the paper and the beta-version of the tool i call
fupids2 at http://cdp.doomed-reality.org/fupids2/

Steffen

--

-- 
cdp.doomed-reality.org

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
Permalink | Reply | 3 comments |

Gmane