[Snort-users] consensus on BASE

Michael Scheidell scheidell at ...5171...
Sat May 27 05:12:01 EDT 2006


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> Drew Burchett
> Sent: Saturday, May 27, 2006 7:21 AM
> To: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] consensus on BASE
> 
> I guess if BASE has one fatal flaw, there's no ability to see 
> an IP conversation that triggered an alert.  For example, if 
> you see an ATTACK RESPONSE 403 FORBIDDEN alert, there's no 
> good way to tell if it was malicious or if some dummy just 
> typed in the wrong URL.

Then there is no flaw in BASE, since it only records what snort gave it.
NOTHING can tell you what cause the 403 error unless you also correlate
it to syslogs for the web server.

(which you can do with base if you want to parse syslogs and send them
to base)

I think BASE is great, except for the searching capibilities.  They are
really poor.
That makes it hard to do anything but look at 'top 5' type events.

-- 
Michael Scheidell, CTO
561-999-5000, ext 1131
SECNAP Network Security Corporation
MediaPro web base privacy and security training:
http://www.secnap.com/events.php?pg=15




More information about the Snort-users mailing list