cerebus 1.2 beta data analysis tool
From: Dragos Ruiu (dr@dursec.com)Date: 08/26/02
- Previous message: Pedro Paulo Ferreira Bueno: "RES: R: IDS evaluation: NFR Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Dragos Ruiu <dr@dursec.com> To: focus-ids@securityfocus.com Date: Mon, 26 Aug 2002 19:20:08 +0000
////////////////////
// Announcing the release of CEREBUS v1.2
////////////////////
What is CEREBUS?
CEREBUS is a text-based full screen alert analysis system for Snort
unified alert output. It lets you load multiple snort alert files into its
embedded database system and make real-time queries to quickly
delete noise alerts. It is a statically linked standalone binary and
does not require you to set up any additional db system to analyze
Snort IDS output.
Cerebus is intended for Intrusion Detection System analysts who
deal with a large volume of IDS probe data and alert logs and need
to efficiently process lots of data, potentially over a remote
connection, or individuals who wish to use the Snort IDS but do
not want to install a full database manager to manage and
browse alerts.
Feed Cerebus Snort unified alert files from /var/log/snort. (Follow
the snort config instructions on the first Cerebus screen to set
up unified output, if you are unfamiliar with this.)
The Lite version is the free non-commercial version intended for
smaller environments and individual use. The information below
pertains to both the commercial licensed version and the free Lite
version. The commercial version features support for more alert
input file formats and sources, writing ability to save edited alert
sets/reports, and enhanced multi-source data management.
////////////////////
// What's new in this release:
////////////////////
-Alert Priority and Classification Display
-Sort/Collapse/Removal by Priority and Classification
-Collapsing similar alerts (source, dest, alert type etc...)
-Statistics modes (in conjunction with collapsing) and
Alert counts.
-New partial processing for _very_ large alert files.
It will deferr processing until you scroll to the data when
you choose a collapse mode. The number in parentheses
after the number of alert records indicate the number
of collapsed records after display collapse. (note the
number will change as you scroll through the file
and incremental processing happens.)
-New high speed mini-curses library.
I got tired of futzing with statically compiling curses, I was
looking through the code and said, "yuck, look at all this
crap", "curses" indeed. Who in this day and age needs
ascii windowing and support for Morrow InterTube magic
cookie terminals? Everything (well almost :-) in the known
universe uses the ansi/vt1x0/vt2x0 command set - so I
stripped out the gunk for everything except that in my
reimplementation so you can use anything like an xterm
(use a wide one to see all the fields), or a linux/bsd/console,
pc terminal program, remote ssh whatever... I'm afraid
that if like me you have something odd like wyse terminal
you are sol about using this on it :-) By losing all the
termlib/terminfo crap and a lot of unused functionality,
the low swearing diet plan reduced this libary's waistline
by more than 10x and gained execution speedups.
-Fast scrolling.
The benefit to reimplementing curses is that I have removed
all library dependencies and I even removed stdio and libc
routines. My new small fast library makes scrolling much
snappier (I can't really tell the difference betwee a p-200
and gig athlon) - and it is now realistic to lean on the page
down key and hop-over a few tens of thousands of alerts.
The mini-curses library (libcuss? short version of curse?
libless? a blessing would be the opposite of a curse? :-)
should also send less characters overall in bigger blocks
than normal curses to describe the same screen, so it
should still work fine over network ssh'es, or even serial
consoles - probably even better than the original.
-Static binaries with no library dependencies.
The Linux, FreeBSD, OpenBSD, (and OSX as soon as I
upload the recompile to the web servers) versions on the
web servers are now there. I'm happy to say that except
for open/close, read/write, malloc/free (and ioctl on bsd),
this stuff is libc bloat free. These binaries should run on
any systems without library futzing. I'm happy with the
portability of my code :-).
-The sparc version is still unavailable because the
donated sparcstation doesn't seem to like either video
or serial consoles...sigh.
-Itanium and Alpha versions of Cerebus will be added
to release sets soon with these new portability improvements.
(Thanks Chris)
////////////////////
// Cool things to do with Cerebus:
////////////////////
-Look at the count statistics for each kind of alert in a set of files?
how:
1. Merge the files into the db
2. (S)ort by (A)lert
3. (C)ollapse by (A)lert
-Delete all of a certain kind of alert for a single destination host?
how:
1. Merge the files into the db
2. (S)ort by (D)estintaiton (I)P
3. (S)ort by (A)lert
4. (C)ollapse by (D)estination (I)P
5. Move to host/alert pair you want to
nuke and delete it using (R)emove
(D)estintaion (I)P
-Look at the Alert activity by port?
how
1. Merge the files into the db
2. (S)ort by (D)estintaiton or (S)ource (I)P
3. Collapse by the same as above
////////////////////
// Cerebus Hints:
////////////////////
-In the upper right corner of the screen are indicator toggles for the
collapse modes. To toggle a collapse mode <off> just reselect it.
-The sort order is a stack. It gets reset when you sort by (E)vent
-You can see the sort stack indicator in the upper right next to the
collapse indicators.
-The (E)xpand command will clear all collapsing. All the records
will be ungrouped as you page through the data.
-If you accidentally deleted some records you can re-merge the
files you loaded earlier. Cerebus will tell you how many records
it restored.
-If you are analyzing live files that snort is writing to, you can
re-merge the files to get the new records recently written out.
-Flipping over alert files daily/weekly seems to be a nice way
to manage datasets.
////////////////////
// Cerebus Caveats:
////////////////////
-I'm sure it isn't perfect and there are probably still some combinations
of actions that can crash Cerebus, but it now has some level
of base stability and is responding to the kinds of queries I need
and performs many useful functions so I'm releasing this beta
version while I keep testing - undoubtedly some out there will
be able to push Cerebus to crash, so please send me any info
and I will fix it.
////////////////////
// Where to get cerebus:
////////////////////
http://dragos.com/cerebus/cerebus-linux-v1.2
http://dragos.com/cerebus/cerebus-fbsd-v1.2
http://dragos.com/cerebus/cerebus-obsd-v1.2
////////////////////
// Mandatory Commercial Content:
////////////////////
-dr is available for ids consulting and analysis and system
projects. cerebus is available for custom implementation
integration. more toys under construction.
cheers,
--dr
-- dr@dursec.com pgp: http://dragos.com/dr-dursec.asc Advance CanSecWest/03 registration available: http://cansecwest.com "The question of whether computers can think is like the question of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002
- Previous message: Pedro Paulo Ferreira Bueno: "RES: R: IDS evaluation: NFR Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
