[Snort-users] Snort Analisys platform
andreaso at ...236...
Sun Nov 28 10:43:04 EST 2004
On Sat, 27 Nov 2004, mamo wrote:
> The platform should have strong possibility to see event from
> different point of view (source IP, Dest IP, Event Name, Network
> Sensor Name, etc) and drill down to better analize. This approch is
> the only one I have found that permit to analize so much events.
> Do you have any experience to share on software
> (commercial/opensource), that can permit Snort events analisys for an
> enviroment with so much events?
Not yet, but I'm playing with a tool called Pigris that I hope I'll have
time to finish and release some time (I don't know when though). It has
the look and feel of a web-based alert browser but is a client written in
Perl/Tk that talks to the db. It works well with many sensors and events
and has some other useful features too. There are some early screenshots
and more info at http://people.su.se/~andreaso/pigris/screenshots/ if
You may also want to checkout Sguil at http://sguil.sf.net/. It scales
well but kind of assumes that every event (or correlated group of events)
has to be dealt with by an analyst. This can be a huge strength in some
environments but I'm not sure it would work well if you have 2 million
events a day (are your sigs really optimally tuned?)
More information about the Snort-users