[plug] 1) interpreting snort data 2) Security Patches for kernel 2.4

Michael Hunt michael.j.hunt at usa.net
Thu Jan 3 21:01:59 WST 2002 

Daniel [mailto:cottmain at yahoo.com.au] wrote:

> Hi Mike and Plug,

Hiya Dan,

> I was just musing over my lack of understanding of firewalls and logs
> [among other things]... then I found the following.  Is this what you are
> after?
>
> 1) interpreting snort data
> http://www.grsecurity.net/misc.htm
> "grsparse is the only snort logfile parser written in pure c that
> acts as a
> cgi and outputs the logs in an organized way in HTML format. It's
> incredibly fast, features ip whois, nslookup, and domain whois all with
> internal code. It also allows you to sort by any criteria, and
> gives you a
> rundown of the most and least recurring of each field. It requires snort
> v1.8+ and the the snort config available on www.snort.org Now uses
> autoconf, so it will work on any operating system that can run snort. "

Smoothwall (which is what I am using for my firewall at the moment) has
something similar but not as fancy. What I am really looking for is a
database that I can plug messages into and get some detailed analysis on. At
the moment the information is very cryptic and doesn't really explain always
what is going on.

I certainly like the look of gparse and may use it when I do the "build your
own slackware firewall from source and become an instant Linux/security guru
overnight". I am thinking that the "apt-get" Debian firewall solution is
looking much easier though *grin*

> 2) Security Patches for kernel 2.4
> http://www.grsecurity.net/
> "Grsecurity is the most extensive set of security patches to the 2.4 tree
> of Linux kernels to date. It features ports of popular security
> patches for
> the 2.2 tree of Linux kernels (such as Openwall, available at
> http://www.openwall.com/linux), its own ACL system, various other adapted
> features (such as the Trusted Path Execution and random IP ID
> implementations), as well as a great deal of enhanced auditing/logging
> features. It also includes the work of PaX, available at
> http://pageexec.virtualave.net. The goal of the project is to create the
> most secure system possible while requiring minimum configuration. With
> every new version that is released, that goal is being more fully
> realized."

Smoothwall/Potato are both running 2.2 kernels so I don't think these are
going to be any good to me at the moment. The patches are certainly
something that are interesting and I hope to be having a good look into them
soon.

Now where did that spare time go .....

> Regards,
> Daniel.

Thanks Dan. Very informative.

> At 19:03 3/01/2002 +0800, Michael Hunt wrote:
> >...snip...
> >Anyone have any links on how to interpret snort data ???
> >
> >Maybe a Linux security guru could give a PLUG talk ??? Maybe a Linux
> >security guru will give a talk at LCA 2002 ??? Or maybe even at 2003 ???
> >(Can I wait that long ????)
> >
> >Maybe I should become a Linux security guru !!!
> >Michael Hunt

More information about the plug mailing list