[Snort-users] consensus on BASE

Bamm Visscher bamm.visscher at ...11827...
Sat May 27 09:37:01 EDT 2006


I expect Drew was commenting more on the suite of tools that Sguil
uses. One of those tools is used to collect full content data.  With
the full content logged,  the analyst has the ability to quickly
retrieve all the logged packets and view [0] the reconstructed
session.

Obviously BASE was never designed to do this. BASE is what I would
call an 'alert browser'. That is not meant to be derogatory, it is
just what it has been designed to do and it can definately fullfill
the needs of many, especially those that adminster the systems and
networks their watching.

Sguil was designed to support network security monitoring [1].  It's
benefit will be seen by those of us who are monitoring large networks
and systems we don't control.

There are other projects that attempt to correlate and prioritize
various events using system logs, firewalls, audit info, etc. OSSIM
[1] is one such project.  Sguil is NOT a SIM [2,3].

Bammkkkk

[0] http://sguil.sourceforge.net/images/0.6/sguil_transcript.png
[1] http://www.taosecurity.com/books.html (TAO of Network Security Monitoring)
[2] http://infosecpotpourri.blogspot.com/2006/01/sguil-is-not-sim.html
[3] http://taosecurity.blogspot.com/2006/01/in-defense-of-david-bianco-id-like-to.html

On 5/27/06, Michael Scheidell <scheidell at ...5171...> wrote:
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
> > Drew Burchett
> > Sent: Saturday, May 27, 2006 7:21 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: RE: [Snort-users] consensus on BASE
> >
> > I guess if BASE has one fatal flaw, there's no ability to see
> > an IP conversation that triggered an alert.  For example, if
> > you see an ATTACK RESPONSE 403 FORBIDDEN alert, there's no
> > good way to tell if it was malicious or if some dummy just
> > typed in the wrong URL.
>
> Then there is no flaw in BASE, since it only records what snort gave it.
> NOTHING can tell you what cause the 403 error unless you also correlate
> it to syslogs for the web server.
>
> (which you can do with base if you want to parse syslogs and send them
> to base)
>
> I think BASE is great, except for the searching capibilities.  They are
> really poor.
> That makes it hard to do anything but look at 'top 5' type events.
>
> --
> Michael Scheidell, CTO
> 561-999-5000, ext 1131
> SECNAP Network Security Corporation
> MediaPro web base privacy and security training:
> http://www.secnap.com/events.php?pg=15
>
>
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmdlnk&kid7521&bid$8729&dat1642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?listsnort-users
>


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list