[Snort-users] Snort Analisys platform

Andreas Östling andreaso at ...236...
Sun Nov 28 10:43:04 EST 2004


On Sat, 27 Nov 2004, mamo wrote:
...
> The platform should have strong possibility to see event from
> different point of view (source IP, Dest IP, Event Name, Network
> Sensor Name, etc) and drill down to better analize. This approch is
> the only one I have found that permit to analize so much events.
> 
> Do you have any experience to share on software
> (commercial/opensource), that can permit Snort events analisys for an
> enviroment with so much events?

Not yet, but I'm playing with a tool called Pigris that I hope I'll have 
time to finish and release some time (I don't know when though). It has 
the look and feel of a web-based alert browser but is a client written in 
Perl/Tk that talks to the db. It works well with many sensors and events 
and has some other useful features too. There are some early screenshots 
and more info at http://people.su.se/~andreaso/pigris/screenshots/ if 
you're interested.

You may also want to checkout Sguil at http://sguil.sf.net/. It scales 
well but kind of assumes that every event (or correlated group of events) 
has to be dealt with by an analyst. This can be a huge strength in some 
environments but I'm not sure it would work well if you have 2 million 
events a day (are your sigs really optimally tuned?)

/Andreas




More information about the Snort-users mailing list