Main Web>SidReporter (2008-10-30, MattJonkman)

SidReporter

SidReporter is the Emerging Threats Data Sharing Tool that allows users to report anonymously their local IDS/IPS event data. In return you will (soon) get an analysis of how your events compare to the whole, what you're missing, what trends are showing globally, and what you can do to tune your rulesets.

All data is reported in a non-source identifiable way using PGP to encrypt in transit. So your data can only be decrypted by you or the Emerging Threats data correlation process.

We are currently Beta Testing the SidReporter perl collector. You can download the current version of the SidReporter here:

http://www.emergingthreats.net/sidreporter/

CVS access is available here for the most up to date version:

http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/?cvsroot=sidreporter

Instructions for installing SidReporter and some notes on the best way to get GnuPG? running are available here:

SidReporterInstall

Exactly what SidReporter reports is made clear by looking at the format of an event report (which you can review before SidReporter sends it out if you like):

What's Reported?

A sample report line: 1,Snort,-1,1,122,,1225316502,255,219.xx.xx.xx,0,0,216.xx.xx.xx,0,0,0,0,

Consists of:

SID

Event type (Default=Snort, but in case we begin to bring in other types of data)

Weight Value to increase or decrease ranking of event (default=-1; fp have are <0; tp are >0). This will be used when we give SIM's the ability to rate events.

Type of ranking (default=1) Future use

Generator ID if applicable

SID Rev if appropriate

Time in UTC of event occurrence (default: submission time)

PROTO: 6 for TCP, 17 for UDP, 1 for ICMP, 47 for GRE, etc. See http://www.iana.org/assignments/protocol-numbers

SRC ip int: Src ip address in the event

Is the Source IP Obfuscated (0/1)

Source Port

Dest IP

Is the Destination IP Obfuscated (0/1)

Dest Port

Is the Source or Destination Bad? (For later when the SIM can feed info back from the analyst)