[Discussion] Installers

Matt Jonkman jonkman at jonkmans.com
Sun Mar 1 15:35:34 UTC 2009


Kevin Ross wrote:
> 
> an installer on a cutdown linux/bsd system perhaps with a simple
> installer, also perhaps configuration by a web interface. That way a
> non-unix person can install the system selecting the relevant options,
> then use the web interface to set up the distributed system. This would
> attract more users by helping to simplify a basic setup. Possibly even
> installers consisting of different tools, i.e an installer for
> master/slave sensors for normal IDS/IPS and correlation and another say
> for a honeypot with nepenthes or honeyd and in the install you can point
> it to the master sensor. That way dedicated parts of the distributed
> system can be installed easily by inexperienced users (which everyone
> will be who comes to use this system at first till they learn it). Also
> using this methods means different types of systems can be added to the
> distributed IDS/IPS as need dictates such as some new type of detection
> tool to some future type of attack.

Great idea! I've thrown out I think something similar privately to have
a web interface.

I think the largest hurdle for new folks getting into snort is the
initial build and config. It's a HUGE learning curve, and there isn't
much to help you because EVERY net is very different. The only real good
way to get into snort is a class or someone that already knows it
guiding you through. There's not much of an avenue for a quick
self-learning process.

A web interface would be great, but we have to make sure it just writes
the text config, or inserts into the db the config created.

(BTW: I'm lobbying for a config that can be kept in the DB or text file,
would make remote sensors FAR easier to manage)

The web interface could ask a few basic questions (what's your internal
ip space, is my sensing interface inside or outside, what rulesets do
you want to load, do you care about P2P traffic, etc) and guide some
basic decisions for the user.

The extras like honeyd and all is very interesting. I'd like to see a
nepenthes as well integrated somehow. Maybe an intermediary for
nepenthes/honeyd to talk to the engine. If there's an exploit against a
honeypot that info goes directly to the engine and immediately puts that
attacker's IP into the hostile area in it's IP Reputation?

Maybe the binary captures by the sandnet goes right to the analyst for
analysis, maybe an auto-sig for the binary in transit other places gets
inserted?

matt

> 
> 
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
> 
> PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Discussion mailing list