[Snort-users] consensus on BASE

Bamm Visscher bamm.visscher at ...11827...
Sat May 27 08:13:08 EDT 2006


The Sguil client runs fine on any OS that supports tcl. Using the
ActiveState [0] packages, it's actually easier to run the client on
Windows than it is Linux.  ActiveState also has packages available for
AIX, HP-UX, Linux, Mac OS X (both for PowerPC and x86), and Solaris.
Here is an old post on Richard's TaoSecurity blog [1] that explains
the installation process.

Bammkkkk

[0] http://www.activestate.com/Products/ActiveTcl/
[1] http://taosecurity.blogspot.com/2003/07/want-to-become-f8-monkey-my-friend.html

On 5/27/06, Drew Burchett <DrewB at ...13821...> wrote:
> While I can agree with most of what was said here, I can see one flaw
> with Sguil.  I don't run any Linux boxes with a GUI frontend, and I
> don't have the resources to load one just to run Sguil.  I'm using BASE
> to help fine tune Snort as it's good to help weed out false positives
> and for a good running overview of what is happening in realtime.  I
> combine that with Snortalog for daily overviews of my data and then use
> other programs to provide email and/or pager alerts on events that I
> feel are important enough to draw my immediate attention.
>
> I guess if BASE has one fatal flaw, there's no ability to see an IP
> conversation that triggered an alert.  For example, if you see an ATTACK
> RESPONSE 403 FORBIDDEN alert, there's no good way to tell if it was
> malicious or if some dummy just typed in the wrong URL.
>
> Drew Burchett
> United Systems & Software
> http://www.united-systems.com
> Phone:  (270)527-3293
> Fax:     (270)527-3132
>
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> > admin at lists.sourceforge.net] On Behalf Of Paul Schmehl
> > Sent: Friday, May 26, 2006 12:54 PM
> > Cc: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] consensus on BASE
> >
> > John Newman wrote:
> > > Is the consensus that BASE is the best web front-end for snort out
> there
> > > (and I mean free, open source stuff)?  What are people's experiences
> > > with sguil (which I realize is not web based).
> > >
> > > thanks,
> > >
> > I think Base is probably the most popular open source front-end
> > (although I don't have any data to back that up.)  It's certainly easy
> > to install and use.  The problem with Base is that it gives you a
> > sliding window of your events data, which tends to obscure real-time
> > events from view unless they are large enough to draw attention (or
> you
> > just happen to notice them._  So, it's good for summarizing what's
> going
> > on, but not as good for real-time analysis of discrete events.
> >
> > Sguil is very difficult to install.  It requires quite a bit of
> > preparation and installation of ancilliary apps to make it work.  (I'm
> > trying to solve that on FreeBSD by developing ports for it that take
> > care of all the dependencies.)  That's a consequence of the decision
> to
> > use tcl as the programming language, since it's not commonly installed
> > on most platforms.  (It also uses some other apps which are not so
> > common; sancp, p0f, tcpdump
> >
> > Once it's installed and configured (which is also a bit of work and
> > requires a clear understanding of what you're doing), it provides a
> > completely different, more detailed look at the data, in real time.
> > It's easy to pick out events that need immediate followup and drill
> down
> > into packets to see what's really going on.
> >
> > So, I would say, Base is good for folks new to snort and especially
> new
> > to admining OSes, and sguil is good for folks who clearly understand
> > what they're doing and want as much information about events as they
> can
> > get.
> >
> > --
> > Paul Schmehl (pauls at ...6838...)
> > Adjunct Information Security Officer
> > The University of Texas at Dallas
> > http://www.utdallas.edu/ir/security/
>
>
> --
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
>
> --
> This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.
>
>
>
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmdlnk&kid7521&bid$8729&dat1642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?listsnort-users
>


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list