[Snort-users] Snort Summary Web Pages

Bryan Swann swann at ...4020...
Fri Nov 9 17:11:38 EST 2007


IMO, BASE isn't a very useful product for IDS monitoring, though I'm 
sure others may disagree.  It doesn't provide a real-time view of the 
alerts which is what most people want.  I've never tried squil, but it 
is suppose to provide that function.

I use the commercial product aanval and it runs circles around BASE. 
Its pretty cheap too.  It has real time monitoring support and can 
create nice reports on data returned by a query.  I just got the most 
recent version and it has support for PDF reports too.

As far as reporting goes, I wish there were some decent comparisons 
between the tools.  Don't use snort report, it queries all of the data 
to generate a report every time you access it.  With only a moderate 
alert load, the tool takes forever.  I like snortsnarf and snortalog. 
Though I would like to hear what others are using.

I am moving to use barnyard, but found that few reporting tools can use 
the unified logging format.  Barnyard can create something similar to a 
fast alert output, but the format is slightly different.  I plan on 
trying to write a script to parse the barnyard output so I can still use 
snortsnarf and snortalog.  I would love to know what other tools people 
are using to create a daily report.

Michael Merrell wrote:
> Hi!
>  
> I hope I'm doing this right and that I get some helpful responses. 
>  
> I've recently installed Snort and BASE on a Fedora Core 7 machine. I've secured the main page with a password following the instructions found on the Snort Documents page. However, while I'd like to keep the main page secure, I'd also like to post a real-time summary (just the number of alerts and traffic by protocol stuff) on a second web page that would not be secured. I'd like it set up so that anyone could view this summary but following the links would require a password.
>  
> I've been reading through documentation online without much success and I was hoping someone might be able to offer me some help.
>  
> I'd appreciate any suggestions and advice! Thank you!
>  
> - Michael M.
> _________________________________________________________________
> Help yourself to FREE treats served up daily at the Messenger Café. Stop by today.
> http://www.cafemessenger.com/info/info_sweetstuff2.html?ocid=TXT_TAGLM_OctWLtagline
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
-
- Bryan Swann (swann at ...4020...)  843/218-4749
- SPAWAR Systems Center Charleston
-
-  The difference between genius and stupidity is that genius has its 
limits.  - Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: swann.vcf
Type: text/x-vcard
Size: 138 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20071109/335aae4a/attachment.vcf>


More information about the Snort-users mailing list