[Snort-users] consensus on BASE

Alex Butcher alex.butcher at ...11254...
Fri Jun 2 05:18:37 EDT 2006


Drew Burchett wrote:
> I guess if BASE has one fatal flaw, there's no ability to see an IP
> conversation that triggered an alert.  For example, if you see an ATTACK
> RESPONSE 403 FORBIDDEN alert, there's no good way to tell if it was
> malicious or if some dummy just typed in the wrong URL.

That's correct in that specific case, as Snort will only generate an
alert for the 403 from the server and will not log packets preceeding
that event. However, if you have rules to look out for dangerous
inbound/request traffic, then you can get details of what was requested
and what the server's response was.

If Snort provides payload information, BASE will use it. You need to
configure Snort to use an 'alert' output plugin, rather than a 'log'
output plugin.

Further to this, if you use FLoP between Snort and the database and use
Snort's 'tag' directive on rules you're interested in, FLoP's
'getpacket' utility can rebuild the original alert plus subsequent
tagged packets into a .pcap file that can be analysed using ethereal or
whatever. I've patched my local installation of BASE to provide the
option to download such a pcap file from the alert viewer. The patch was
submitted to BASE a while back, but they don't seem to have seen fit to
include it just yet.

> Drew Burchett

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




More information about the Snort-users mailing list