[Dshield] Looking for Beta Testers
jullrich at sans.org
Fri Jun 7 21:21:36 GMT 2002
> First is the lack of anonymization and potential disclosure issues
> sensitive sites will have with this. Don't expect much participation
> from sites that process sensitive info.
based on some preliminary 'asking around', it looks like we can get
plenty of submitters.
> Second is the traffic load. I hope you have the mother of all internet2
> links to be able to handle the traffic load a few hosts doing wide scans
> that triggers a lot of alerts create.
(This also relates to (3) ): The plugin includes a throttle/buffer. Alerts
are accumulated in a local buffer which is send to the server once in a while.
There are three parameters controlling this:
1 - size of buffer
2 - minimum time between sends (avoid DOS...)
3 - maximum time between sends (the buffer is send even if it is not full
in the future, I hope to control a lower limit for '2' by a return code
set by the server after each submissions.
Of course, 1&2 will cause alerts to be dropped. But as usual, its better
to have some than none. Right now, everything is dropped once the buffer
is full. Not sure if a FIFO or some consolidation makes sense. (consolidation
is probably a bit complex)
> Third is the DOS potential. You will be creating an interesting traffic
> mirror. A clever attacker may figure out how to trigger off alerts
> not only on inbound packets, but the outbound packet may trigger as
> well if not compensated for. Uh-Oh... :-)
> Care is advised,
> P.s. Why do you need a snort plugin for this? The snort unified output
> system seems like it does everything you need including providing binary
> packets with alerts. You more likely need a barnyard plug-in and a
> cron job, imho.
it doesn't do buffering/httpd/https.... I used the xml plugin as a
starting point (it has httpd/https), added the buffer and threw out
> On Tue, 4 Jun 2002 16:01:47 -0400
> Johannes Ullrich <jullrich at euclidian.com> wrote:
> > yes. There is a beta version and a number of people are testing it.
> > I had to put it on hold for the last couple of weeks due to some
> > other activities with higher priority :-( ... But I hope to pick up
> > on it soon.
> > > On Wednesday 17 April 2002 3:23 pm, Johannes B. Ullrich wrote:
> > > > We are moving ahead on DShield, TsNG (The Snort Generation).
> > > > The goal is to setup a snort plugin to report full packet content
> > > > in more or less real time.
> > > >
> > >
> > > did anything happen with this?
> --dr pgpkey: http://dragos.com/dr-dursec.asc
> 0 = 1 , for large values of zero and small values of one.
jullrich at sans.org Collaborative Intrusion Detection join http://www.dshield.org
More information about the list