SidReporter is the Emerging Threats Data Sharing Tool that allows users to report anonymously their local IDS/IPS event data. In return you will (soon) get an analysis of how your events compare to the whole, what you're missing, what trends are showing globally, and what you can do to tune your rulesets.
All data is reported in a non-source identifiable way using PGP to encrypt in transit. So your data can only be decrypted by you or the Emerging Threats data correlation process.
We are currently Beta Testing the
SidReporter perl collector. You can download the current version of the
SidReporter here:
http://www.emergingthreats.net/sidreporter/
CVS access is available here for the most up to date version:
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/?cvsroot=sidreporter
Instructions for installing
SidReporter and some notes on the best way to get
GnuPG? running are available here:
SidReporterInstall
Exactly what
SidReporter reports is made clear by looking at the format of an event report (which you can review before
SidReporter sends it out if you like):
What's Reported?
A sample report line:
1,Snort,-1,1,122,,1225316502,255,219.xx.xx.xx,0,0,216.xx.xx.xx,0,0,0,0,
Consists of:
SID
Event type (Default=Snort, but in case we begin to bring in other types of data)
Weight Value to increase or decrease ranking of event (default=-1; fp have are <0; tp are >0). This will be used when we give SIM's the ability to rate events.
Type of ranking (default=1) Future use
Generator ID if applicable
SID Rev if appropriate
Time in UTC of event occurrence (default: submission time)
PROTO: 6 for TCP, 17 for UDP, 1 for ICMP, 47 for GRE, etc. See
http://www.iana.org/assignments/protocol-numbers
SRC ip int: Src ip address in the event
Is the Source IP Obfuscated (0/1)
Source Port
Dest IP
Is the Destination IP Obfuscated (0/1)
Dest Port
Is the Source or Destination Bad? (For later when the SIM can feed info back from the analyst)
That's it, this is all that's reported. You can choose in the sidreporter.conf to obfuscate your internal and external IP ranges.
--
MattJonkman - 04 Aug 2008