[Dshield] Looking for Beta Testers

Johannes Ullrich jullrich at sans.org
Fri Jun 7 21:21:36 GMT 2002


> First is the lack of anonymization and potential disclosure issues
> sensitive sites will have with this.  Don't expect much participation
> from sites that process sensitive info.

based on some preliminary 'asking around', it looks like we can get
plenty of submitters.


> Second is the traffic load.  I hope you have the mother of all internet2
> links to be able to handle the traffic load a few hosts doing wide scans
> that triggers a lot of alerts create.

(This also relates to (3) ): The plugin includes a throttle/buffer. Alerts
are accumulated in a local buffer which is send to the server once in a while.
There are three parameters controlling this:
 1 - size of buffer
 2 - minimum time between sends (avoid DOS...)
 3 - maximum time between sends (the buffer is send even if it is not full
     yet).

in the future, I hope to control a lower limit for '2' by a return code
set by the server after each submissions. 

Of course, 1&2 will cause alerts to be dropped. But as usual, its better
to have some than none. Right now, everything is dropped once the buffer 
is full. Not sure if a FIFO or some consolidation makes sense. (consolidation
is probably a bit complex)
 
> 
> Third is the DOS potential.  You will be creating an interesting traffic
> mirror.  A clever attacker may figure out how to trigger off alerts
> not only on inbound packets, but the outbound packet may trigger as
> well if not compensated for. Uh-Oh... :-)
> 
> Care is advised,
> --dr
> 
> P.s. Why do you need a snort plugin for this? The snort unified output 
> system seems like it does everything you need including providing binary
> packets with alerts.  You more likely need a barnyard plug-in and a
> cron job, imho.

it doesn't do buffering/httpd/https.... I used the xml plugin as a 
starting point (it has httpd/https), added the buffer and threw out
the xml.




> 
> On Tue, 4 Jun 2002 16:01:47 -0400
> Johannes Ullrich <jullrich at euclidian.com> wrote:
> 
> > 
> > yes. There is a beta version and a number of people are testing it.
> > I had to put it on hold for the last couple of weeks due to some
> > other activities with higher priority :-( ... But I hope to pick up
> > on it soon.
> > 
> > 
> > > On Wednesday 17 April 2002 3:23 pm, Johannes B. Ullrich wrote:
> > > > We are moving ahead on DShield, TsNG (The Snort Generation).
> > > > The goal is to setup a snort plugin to report full packet content
> > > > in more or less real time.
> > > >
> > > 
> > > did anything happen with this?
> 
> -- 
> --dr                  pgpkey: http://dragos.com/dr-dursec.asc
>        0 = 1 , for large values of zero and small values of one.
> 


-- 
---------------------------------------------------------------
jullrich at sans.org             Collaborative Intrusion Detection                                               join http://www.dshield.org




More information about the list mailing list