[Snort-users] Am I in the right place? (was: Tips for using ACID in a multi-adm in environment)

Bamm Visscher bamm at ...539...
Thu May 29 13:21:11 EDT 2003


I have both of these messages saved, with the intent on replying in detail to both. Unfortuneatly, I haven't had a lot of extra time on my hands lately. I do work for a Fortune 500 Company, and we use snort very successfully. We have sensors in many different locations, and I work remotely (telecommute). Although we use snort as our 'base' IDS, we have our own interface and DB schema. For reasons I won't go into detail about, we cannot release that interface. I am, however, working on a opensource project that will replace our proprietary implementation at some point. This project can be found on sourceforge at http://sguil.sourceforge.net.  Sguil allows multiple clients to connect, and work together while monitoring multiple sensors. Events are analyzed and then placed into different incident categories, or marked 'NA' (for no further action required). When an analyst marks an event (or a series of events) for classification, it is removed from all connected consoles. The events remain in the DB, with a history of who categorized the event and any comments the analyst made on it. "Archived" events can be pulled back up in the console with simple SQL queries. Sguil also provides a series of hooks to other third party tools like ethereal, p0f, and tcpflow. I suppose I could go on and on, and we really do need to develop an analysts guide for using sguil (time, time, time!), but your best bet is to download it and give it a whirl. I'll gladly answer any questions you may have and am more than willing to accept any critcism or help you have to offer. My goal (with the support of my management), is to build a tool that is truely useful for us, and companies like ours, with support of the opensource community. The worst part of having a proprietary system, is knowing that if key individuals go away, so does your support.


On Thu, May 29, 2003 at 01:46:02PM -0500, Williams Jon wrote:
> I apologize if this seems a bit troll-like, I don't intend it to be.  I
> posted this message a couple of weeks ago and got zero responses.  A few
> days later, someone else asked about Fortune 500 users and I saw, I think,
> one response.  While I read this list a lot, I'm starting to wonder if I'm
> asking questions in the right place.
> I've been using snort for a while now, something like 2-3 years, and am
> monitoring a moderate amount of traffic (i.e. the busiest box is watching
> between 50-60 mbps sustained during business hours, and I've got several
> scattered across multiple timezones).  I believe, rightly or wrongly, that
> I've gone through the same phases that I see a lot of people go through on
> this list (how do I build it, why doesn't it run, why do I get so many
> alerts for stuff I don't care about, how do I write a custom rule) and am
> now starting to ask other questions, like the one below.  Since I don't get
> any response, I'm not sure if a) people are too concerned about their
> corporate security to share, b) are willing to share but are no longer on
> this particularl list, c) are willing to answer, but my situation is unique,
> or d) there's no answer to my problems.
> So, is there a better list for advanced snort issues and/or enterprise snort
> deployment questions?  If not, are there people on this list who've gone
> through these issues and don't want to discuss them in a public forum?  As I
> said, I'm not trying to be a rabble-rouser, it's just that the great support
> from the mailing list was one of the selling points when I convinced
> management to go Open Source, so it's a bit confusing/embarassing when I
> send out questions that get no response at all.
> Thanks!
> Jon

More information about the Snort-users mailing list