[Snort-users] snort web interface

Jason Meller jason.meller at ...11827...
Tue Aug 23 21:03:33 EDT 2011


Alexus,

Full disclosure, I work with Mephux on Snorby but I don't think James or
Alex correctly or accurately answered your question, so I wanted to throw in
my $0.02.

   1. BASE is a dead project and hasn't had a new feature pushed since 2008
   (3 years ago). It doesn't plug in with any of the packet capture frameworks
   out there and its interface is disorganized compared to the other available
   front-ends. It's dead, let's move on. Supporting a dead open-source project
   hurts the actively developed efforts out there.

   2. Squert is a bad ass project in active development. One thing James
   didn't mention though is that it requires SQUIL which utilizes an entirely
   different DB schema than the ones provided by the snort/barnyard2 db output
   plugins. SQUIL requires a bit more expertise to get up and running than your
   standard Snort + front-end solution. If you want to go that route Squert is
   a good SGUIL companion.

   3. Snorby is a RECENT development in the community, It was first
   introduced in 2009 and has far surpassed BASE in functionality. I work with
   Mephux developing Snorby and here are some of the reasons I would recommend
   it to anyone:


   - It's actively developed by two passionate NSM analysts.
      - It allows you to pivot on datapoints in the events without
      interrupting analyst's thought process (rule content, related alerts, ip
      arin/whois data)
      - It integrates with OpenFPC and Solera DeepSee products for Full
      Packet Capture.
      - It has exportable and beautiful PDF reports and metrics.

The security industry is evolving so rapidly that choosing a dead project
like BASE for your SOC, MSSP, CIRT, or even personal use is just setting you
up for failure.

Other people agree with this assessment and that is why the project has been
accepted into Security Onion Distro and featured on The Change Log.

Other analysts are excited about Snorby as well. Check out these articles:

   - http://beboblog.johnbebo.com/2011/08/13/snorby-as-ids.aspx
   - http://www.aldeid.com/wiki/An-interesting-forensics-analysis

If you want to check out Snorby check out our live demo at
http://demo.snorby.org (u: demo at ...15054..., p: snorby)

If you want to test out Snorby in your environment, check out Insta-Snorby (
www.snorby.org), it's a turn-key Snorby.

Enjoy the project and please support us!

Mephux and Terracatta

On Tue, Aug 23, 2011 at 7:34 PM, James Lay <jlay at ...13475...> wrote:

>
>
> On 8/23/11 5:04 PM, "alexus" <alexus at ...11827...> wrote:
>
> >I was wondering what's popular/good web interfaces these days?
> >
> >--
> >http://alexus.org/
> >
> >--------------------------------------------------------------------------
> >----
> >EMC VNX: the world's simplest storage, starting under $10K
> >The only unified storage solution that offers unified management
> >Up to 160% more powerful than alternatives and 25% more efficient.
> >Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >Please visit http://blog.snort.org to stay current on all the latest
> >Snort news!
>
> BASE seems to give the maximum amount of information/reports vs. ease of
> install.  SQueRT is awesome, but does require a few extra processes
> running.  Snorby is "ok"...not very good for reports at least in my
> experience.  For SQueRT and Snorby, it's pretty crucial that you have a
> tuned snort install since you don't have an easy method to delete entries.
>
> James
>
>
>
>
> ------------------------------------------------------------------------------
> EMC VNX: the world's simplest storage, starting under $10K
> The only unified storage solution that offers unified management
> Up to 160% more powerful than alternatives and 25% more efficient.
> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110823/70e8ff7e/attachment.html>


More information about the Snort-users mailing list