////////////////////////
// CEREBUS News
////////////////////////
[ CEREBUS News ]
[ Tutorial ] [ Hints and Tips ]
[ Download ] [ Support ]
Full screen, GUI and text-based unified
IDS alert file browser and data correlator
(c)2002 by Dragos Ruiu
Shareware Licence:
Distribution in unmodified form permitted.
Free for Individual Non-Commercial Use.
Free for 14 day commercial trial.
Contact dr@dursec.com for licensing and
download instructions for full version.
////////////////////////
// New CEREBUS Releases
////////////////////////
1.4 Terminal Cerebus is out with side scrolling. (Sep 21)
(Resizable windows: hit ^L if you change your xterm)
BLEEDING EDGE Win32 IDS: (Sep 14)
DR's new Win32 installer with these packages bundled
is now available in the downloads sections:
Cerebus Win32 V1.4L
Snort Win32 CVS 1.9 beta
WinPcap 3.0 beta
It seems to work nicely here on 2K, and XP.
Pcap3 seems to not like ME though(!).
Send problem reports to dr@dursec.com.
1.4 GUI Cerebus !!! (Sep 13)
A BETA Version of Cerebus-Win32 is AVAILABLE.
Cerebus has now been ported to an Ultra-Fast Win32 Application
Standalone .EXE works on Win98, ME, 2000, and XP.
Requires NO DLLs, and has been coded on bare-metal Win32 API
for maximum speed, responsiveness, and portability. Crank up
your keyboard repeat rate and munch those hundred thousand
alert files without getting bored waiting for some SQL database
or web GUI. Cerebus will not impress your manager with pie
charts but it WILL save you time.
News! - Version 1.3 is available on many platforms.
(Now compiled on Solaris Sparc64, and Itanium Linux,
only dynamic link on sol8 for now but it seemed
to run fine on sol7 and should work on sol9.
Thanks: Chris Kuethe at the UofA. Sep. 6/02)
1.3 Release notes (Sept. 2):
I got tired of typing in big long strings of numbers
for snort alert file names, so I implemented a filesystem
browser for merging files. Display has been enhanced so
that when you collapse similar alerts or resort the
display "pivots" around the current entry. Some bugs fixed.
Unless someone reports differently, display looks stable
and rid of any obvious bugs.
1.2 Release notes(Aug 27):
This version is now statically compiled and free of any
library dependencies (not even libc!). Some new features
like collapsing and alert counts and statistics added.
////////////////////////
// CEREBUS Description
////////////////////////
What is CEREBUS?
CEREBUS is a text-based full screen alert analysis system for Snort
unified alert output. It lets you load multiple snort alert files
into its embedded database system and make real-time queries to quickly
delete noise alerts. It is a statically linked standalone binary and
does not require you to set up any additional data base software
to analyze Snort IDS output.
Cerebus is intended for Intrusion Detection System analysts who
deal with a large volume of IDS probe data and alert logs and need
to efficiently process these large amounts of data, potentially over
a remote connection, or individuals who wish to use the Snort IDS but
do not want to deal with the complexity or installing a full database
manager for managing and browsing alerts or who desire to make
their log analysis time as short and efficient as possible.
////////////////////////
// Using CEREBUS
////////////////////////
(also see the Tutorial page...)
Instructions:
cerebus filename [/path/to/sid-msg.map] [outfile]
Use a wide terminal window to see all the fields.
Make sure that your snort.conf file has enabled the unified alert output via:
output alert_unified: snort.alert.filename
Plese make sure you use ALERT not LOG (you can use
log_unified and alert_unified at the same time).
I may make a future version browse log packets too.
Browse and filter the alerts with CEREBUS.
Note that sort requests are cumulative and
remove adjacent alert records work from the cursor down.
If you specify a third outputfile argument cerberus will
produce a human readable ascii file dump of the alert file.
////////////////////////
// CEREBUS Screen Shot
////////////////////////
Working Screen:
#: 0 of 96(524288) Files: 1 SID-Map: cerebus/map Output: ./cerebus.out Sort:SIP-EVNT Clps:SIP
Count Timestamp Source IP : Port Dest. IP : Port Alert Event SID Prio Classification
------------------------------------------------------------------------------------------------------------------------------------------------------------`
1 7/19 02:40:28.608077 10.33.33.100 : 1053 216.148.217.246 : 80 TCP Traffic 28187 2001 0 Not Suspicious
7 * 10.33.33.103 : * 17.254.0.200 : 20 TCP Traffic * 2001 0 Not Suspicious
12 * 12.233.141.4 : * 232.222.34.66 : 1433 TCP Traffic * 2001 0 Not Suspicious
38 * 17.112.152.32 : 80 *.*.*.* : * TCP Traffic * 2001 0 Not Suspicious
1003 * 17.254.0.62 : 443 *.*.*.* : * TCP Traffic * 2001 0 Not Suspicious
189 * 17.254.0.106 : 80 *.*.*.* : * TCP Traffic * 2001 0 Not Suspicious
300219 * 17.254.0.200 : * *.*.*.* : * TCP Traffic * 2001 0 Not Suspicious
10 * 24.86.92.240 : 38032 232.222.33.82 : 25 TCP Traffic * 2001 0 Not Suspicious
42 * 24.196.133.126 : * 232.222.34.80 : 80 TCP Traffic * 2001 0 Not Suspicious
6 * 61.74.223.25 : * 232.222.33.79 : 1433 TCP Traffic * 2001 0 Not Suspicious
12 * 61.222.117.96 : * 232.222.34.66 : 1433 TCP Traffic * 2001 0 Not Suspicious
20 * 63.123.77.202 : 80 232.222.33.79 : 1058 TCP Traffic * 2001 0 Not Suspicious
37 * 63.164.121.131 : 56523 232.222.34.80 : 80 TCP Traffic * 2001 0 Not Suspicious
15 * 64.15.231.47 : 46761 232.222.33.82 : 25 TCP Traffic * 2001 0 Not Suspicious
15 * 64.24.81.145 : * 232.222.34.80 : 80 TCP Traffic * 2001 0 Not Suspicious
15 * 64.27.167.221 : 37775 232.222.33.82 : 25 TCP Traffic * 2001 0 Not Suspicious
20 * 64.70.44.4 : 25226 232.222.33.82 : 25 TCP Traffic * 2001 0 Not Suspicious
14 * 64.71.137.114 : 3947 232.222.33.82 : 25 TCP Traffic * 2001 0 Not Suspicious
246 * 64.90.164.74 : 756 232.222.34.66 : 26331 TCP Traffic * 2001 0 Not Suspicious
77 * 64.124.124.251 : * 232.222.33.82 : 25 TCP Traffic * 2001 0 Not Suspicious
6 * 64.156.198.76 : 59758 232.222.34.80 : 80 TCP Traffic * 2001 0 Not Suspicious
14 * 64.251.21.9 : 42046 232.222.33.82 : 25 TCP Traffic * 2001 0 Not Suspicious
14 * 64.251.21.10 : 38536 232.222.33.82 : 25 TCP Traffic * 2001 0 Not Suspicious
11 * 65.19.95.170 : 2816 232.222.33.82 : 25 TCP Traffic * 2001 0 Not Suspicious
5 * 65.94.36.71 : 17900 232.222.34.80 : 80 TCP Traffic * 2001 0 Not Suspicious
30 * 65.173.78.208 : * 232.222.34.80 : 80 TCP Traffic * 2001 0 Not Suspicious
5 * 65.198.105.212 : 1653 232.222.33.82 : 25 TCP Traffic * 2001 0 Not Suspicious
------------------------------------------------------------------------------------------------------------------------------------------------------------
Functions: (C)ollapse (E)xpand (S)ort (D)el (R)emove (M)erge (W)rite (Q)uit CEREBUS-1.3L-dragos ruiu
////////////////////
// Mandatory Commercial Content:
////////////////////
-dr is available for ids consulting and analysis and system
projects. cerebus is available for custom implementation
integration. more toys under construction. Since Sourcefire
hasn't recently been farming out any more remote development
work now that they have a full team in-house in MD I am
actively seeking development and consulting contracts
until I get busy with my conference preparations again.
cheers,
--dr
--
dr@dursec.com pgp: http://dragos.com/dr-dursec.asc
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002
Aardvarks Kick Ass