////////////////////////
// CEREBUS Tutorial
////////////////////////
[ CEREBUS News ]
[ Tutorial ] [ Hints and Tips ]
[ Download ] [ Support ]
What is CEREBUS?
CEREBUS is a text-based full screen alert analysis system for Snort
unified alert output. It lets you load multiple snort alert files
into its embedded database system and make real-time queries to quickly
delete noise alerts. It is a statically linked standalone binary and
does not require you to set up any additional data base software
to analyze Snort IDS output.
Cerebus is intended for Intrusion Detection System analysts who
deal with a large volume of IDS probe data and alert logs and need
to efficiently process these large amounts of data, potentially over
a remote connection, or individuals who wish to use the Snort IDS but
do not want to deal with the complexity or installing a full database
manager for managing and browsing alerts or who desire to make
their log analysis time as short and efficient as possible.
What it lacks in eye-candy (fancy fonts, gui buttons) it makes up
for in raw speed and efficiency of processing alerts and the ability
rapidly identify small important anomalies in large data sets. It
is also useable over a network link without having to import those
large data sets to your local machine... so if you have a large
fast machine as your central repository or you want to analyze
the data on the probe machine directly you can do all the processing
there (Cerebus is also very CPU efficient compared to an SQL
database) and still use it from your own desktop - independent
of what your desktop machine is - without waiting for a slow
web gui to update or a database to run queries.
Feed Cerebus Snort unified alert files from /var/log/snort. (Follow
the snort config instructions on the first Cerebus screen to set
up unified output, if you are unfamiliar with this.)
Cerebus won't impress your manager with fancy pie charts, but it
may speed up your alert analysis to let you examine events in detail
that would otherwise get ignored. Cerebus will let you hopefully
spend less time minding the IDSes and more time enjoying summer.
The Lite version is the free non-commercial version intended for
smaller environments and individual use. The information below
pertains to both the commercial licensed version and the free Lite
version. The commercial version features support for more alert
input file formats and sources, writing ability to save edited
alert sets/reports, and enhanced multi-source data management.
////////////////////
// Cool things you can do with Cerebus:
////////////////////
-Look at the count statistics for each kind of alert in a set of files?
how:
1. Merge the files into the db
2. (S)ort by (A)lert
3. (C)ollapse by (A)lert
-Delete all of a certain kind of alert for a single destination host?
how:
1. Merge the files into the db
2. (S)ort by (D)estintaiton (I)P
3. (S)ort by (A)lert
4. (C)ollapse by (D)estination (I)P
5. Move to host/alert pair you want to
nuke and delete it using (R)emove
(D)estintaion (I)P or (D)elete
-Look at the Alert activity by port?
how:
1. Merge the files into the db
2. (S)ort by (D)estintaiton or (S)ource (P)ort
3. Collapse by the same choice
////////////////////
// Typical Usage:
////////////////////
Cerebus is intended to be a paring tool - to cut away
uninteresting data and get to the core of security issues.
The usual way I use Cerebus is to load in the alert files
I want to look at and remove the noise before analyzing
anything in detail.
The quick way to get rid of data is to collapse it and then
delete the collapsed line. In this way usually hundreds of
thousands of alerts can be reduced to mere hundreds of
lines to looks at in more detail.
My usual first step is to get rid of the alert types I don't
care about (things like code red on web servers etc..) I
usually sort by alert and then collapse by alert to nuke
alert types I don't like. Then I usually weed out noisy or
often falsing hosts, by sorting on destination ip and port.
You can then use port sorting to eliminate some noisy
protocols.
After I get rid of the noise... I then usually sort by source and
colapse and start investigating the hosts that have been
sending a lot of crap... So far I am pleased to report Cerebus
has dramatically decreased the amount of time I have to
spend looking over alert files - It lets me manage and analyze
volumes of alerts that were previously infeasible to look
through for anomalies and interesting data (and would
probably have wound up in the bit-bucket without Cerebus).
It works best in as large an xterm as you can fit on your
screen with small font sizes... because the scrolling is very
fast, you can hop over impressive amounts of data rapidly
just using page up and page down. You can do corellation
by using the differnet sort and collapse modes to delete the
data between events of interest and look at multi-machine
events side by side. Reloading the same file lets you restore
those events that you deleted when examining certain
hypotheses...
////////////////////
// What's new in this release:
////////////////////
-File system browser for merged files.
-Display "pivots" around current item when re-sorting and
collapsing.
-Alert Priority and Classification Display
-Sort/Collapse/Removal by Priority and Classification
-Collapsing similar alerts (source, dest, alert type etc...)
-Statistics modes (in conjunction with collapsing) and
Alert counts.
-New partial processing for _very_ large alert files.
It will deferr processing until you scroll to the data when
you choose a collapse mode. The number in parentheses
after the number of alert records indicate the number
of collapsed records after display collapse. (note the
number will change as you scroll through the file
and incremental processing happens.)
-New high speed mini-curses library.
I got tired of futzing with statically compiling curses, I was
looking through the code and said, "yuck, look at all this
crap", "curses" indeed. Who in this day and age needs
ASCII windowing and support for Morrow InterTube magic
cookie terminals? Everything (well almost :-) in the known
universe uses the ansi/vt1x0/vt2x0 command set - so I
stripped out the gunk for everything except that in my
reimplementation! So you can use anything like an xterm
(use a wide one to see all the fields), or a linux/bsd/console,
pc terminal program, remote ssh whatever... I'm afraid
that if, like me, you have something odd like a wyse terminal
you are sol about using this on it :-) By losing all the
termlib/terminfo crap and a lot of unused functionality,
the low swearing diet plan reduced this libary's waistline
by more than 10x and gained noticeable execution
speedups.
-Fast scrolling.
The benefit to reimplementing curses is that I have removed
all library dependencies and I even removed stdio and libc
routines. My new small fast library makes scrolling much
snappier (I can't really tell the difference betwee a p-200
and gig athlon) - and it is now realistic to lean on the page
down key and hop-over a few tens of thousands of alerts.
The mini-curses library (libcuss? short version of curse?
libless? a blessing would be the opposite of a curse? :-)
should also send less characters overall in bigger blocks
than normal curses to describe the same screen, so it
should still work fine over network ssh'es, or even serial
consoles - probably even better than the original curses
(since it essentially hasn't been touched since the early
80's and the System V Release 2 version that has propagated
in both Linux and BSD.).
-Static binaries with no library dependencies.
The Linux, FreeBSD, OpenBSD versions on the web servers
are now there. I'm happy to say that except for open/close,
read/write, iopendir/readdir/closedir, malloc/free (and
ioctl on bsd), this stuff is libc bloat free. These
binaries should run on any systems without library
futzing. I'm happy with the portability of my code :-).
-The sparc version is still unavailable because the
donated sparcstation doesn't seem to like either video
or serial consoles...sigh.
-OSX/ppc, Itanium and Alpha versions of Cerebus will be added
to release sets soon with these new portability improvements
in this version. (Thanks Chris)
////////////////////
// Mandatory Commercial Content:
////////////////////
-dr is available for ids consulting and analysis and system
projects. cerebus is available for custom implementation
integration. more toys under construction. Since Sourcefire
hasn't recently been farming out any more remote development
work now that they have a full team in-house in MD I am
actively seeking development and consulting contracts
until I get busy with my conference preparations again.
cheers,
--dr
--
dr@dursec.com pgp: http://dragos.com/dr-dursec.asc
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002
Aardvarks Kick Ass