Posts Tagged ‘Sourcefire’
It’s that time of year again. Infosecurity Europe is upon us. If you’re going to be there and have a strong interest in the inner-works of intrusion prevention engines, have I got a treat for you lucky lucky people 🙂
Sourceifre’s own Lurene Grenier (@pusscat) and Matthew Olney (@kpyke) are running a workshop!
Here’s the official blurb
Sourcefire VRT Workshop
Register here – 11:00 – 12:00, Wednesday 28th April 2010 – Mayfair Room, Earls Court.
The VRT team will demonstrate the power and flexibility of the engine by unveiling a new multi-faceted, scalable detection methodology targeted at addressing the most difficult detection problems facing security professionals today.
So if that gets your interest going, make sure you register here.
As a bonus for you all, Sourcefire are also running an “Intelligent Network Security” Workshop.
Sourcefire Intelligent Network Security Workshop
Register here | 15:00 – 16:00am, Wednesday 28th April 2010 | Mayfair Room, Earls Court
In the age of the advanced persistent threat of cloud computing and of new economic realities, how can companies ensure their networks are monitored and protected securely and cost-effectively? Find out how Sourcefire, the leader in context-aware Intrusion Prevention Systems has addressed the limitations of current generation IPS to provide true intelligent network security solutions.
And I’ll be stuck on the Sourcefire stand for most of the three days, pop buy if you want to say “oh hai”.
I’m attending a network security Blogger meeting on the 30/March/2010 in a pub just off Oxford St, London. It’s kindly hosted by Sourcefire but don’t expect any sales people in attendance! It will be an informal event with drinks, nibbles, and networking (read free beer). Hopefully we’ll discuss what’s hot (or not) right now, share some ideas, and provide inspiration for a post or two.
If you’re a network security blogger and want to meet others like you in person, let me know and ill try to get you on the guest list!
Snort events and Google Earth Mashup. They say a picture is worth a thousand words, so I guess the below is all I need to show to explain.
Firstly, karma goes to James Tucker for hacking together an early PoC.
I looked into hooking Google Earth into Sourcefire’s Defense Center about a year ago, but ran into issues with finding a good *free* geolocation perl module that I could use. After a chat with Jim a few weeks back, he pointed me to Maxmind and provided a quick sample of plotting a Snorty pig.
I jumped right into making the integration glue for Sourcefire’s real-time event feed (EStreamer), making it plot the location of your current attacker as the events flood in.
The Good: It worked!
The Bad: It made dizzy!
The world would spin way too fast to keep up with all the nasty stuff out there. I finally decided on a more mature approach of parsing either a snort alert file, or a Sourcefire CSV report. This way the user gets more control of the data being rendered.
To see a real example, download and take a look at the below KML file (open in Google Earth). I re-enabled SQL worm detection in my snort config on a publicly accessible device to find out what country is being the slowest to patch. It provided an immediately interesting trend. Well done Europe and America for patching against a 8 year old problem, shame on the rest of you! Open the attached KML file in Google Earth to inspect in detail on your own local system.
Because Sourcefire 3D uses a advanced method of alert prioritization (impact flags), when used with a Sourcefire report you get an output like the below.
Update: The code can be downloaded from Jason’s blog on Snort.org, it’s simple to use and get working, up but Ill knock up some instructions when I get a moment.