[Snort-users] snort web interface

Dustin Webber dustin.webber at ...11827...
Tue Aug 23 21:55:52 EDT 2011


All,

Very concerned with the comments by James Lay and Adam Wright... Idiotic to
say the least... anyways..

Second, I don't think I have ever heard anyone sum up how important full
packet capture is then Martin Holste just did (since Bam/Richard of course).
I'm biases in this decision because I started and maintain snorby but if you
decided to use another tool please make sure it follows the NSM guidelines.
Sguil, snorby, Squert and the upcoming nsmframework are your best options
for a proper IR/NSM solutions.

Martin, I would like to work with you on getting StreanDB a proper snorby
plugin/menu selection.

Dustin W. Webber
Dustin.Webber at ...11827...
(913) 375-2798


On Tue, Aug 23, 2011 at 9:41 PM, Martin Holste <mcholste at ...11827...> wrote:

> I agree with Jason:  BASE is dead and clunky, and not all that easy to
> install.  If you are looking for a dead simple install with no traffic
> integration, then I suggest having Snort (or barnyard) output to
> syslog and send it to a personal version of Splunk, which is free.
> You can get that up and running in about five minutes.  However,
> Snorby is superior and worth putting a few more (but not too many
> more) minutes of time because you get the packet integration.  In my
> opinion, unless you have access to the traffic you are inspecting with
> your IDS in some sort of raw form, you are operating a crippled
> installation and have no way to make informed decisions about good or
> bad events on the network.
>
> I will also mention that Snorby integrates with my
> StreamDB.googlecode.com project which is OpenFPC compatible, but
> several orders of magnitude faster than OpenFPC.  So my recommendation
> would be to use Snorby with StreamDB.  Sguil is rock solid, but pcap
> retrieval is just too slow for my taste, and so that precludes running
> Squert.
>
> On Tue, Aug 23, 2011 at 8:03 PM, Jason Meller <jason.meller at ...11827...>
> wrote:
> > Alexus,
> > Full disclosure, I work with Mephux on Snorby but I don't think James or
> > Alex correctly or accurately answered your question, so I wanted to throw
> in
> > my $0.02.
> >
> > BASE is a dead project and hasn't had a new feature pushed since 2008 (3
> > years ago). It doesn't plug in with any of the packet capture frameworks
> out
> > there and its interface is disorganized compared to the other available
> > front-ends. It's dead, let's move on. Supporting a dead open-source
> project
> > hurts the actively developed efforts out there.
> >
> > Squert is a bad ass project in active development. One thing James didn't
> > mention though is that it requires SQUIL which utilizes an entirely
> > different DB schema than the ones provided by the snort/barnyard2 db
> output
> > plugins. SQUIL requires a bit more expertise to get up and running than
> your
> > standard Snort + front-end solution. If you want to go that route Squert
> is
> > a good SGUIL companion.
> >
> > Snorby is a RECENT development in the community, It was first introduced
> in
> > 2009 and has far surpassed BASE in functionality. I work with Mephux
> > developing Snorby and here are some of the reasons I would recommend it
> to
> > anyone:
> >
> > It's actively developed by two passionate NSM analysts.
> > It allows you to pivot on datapoints in the events without interrupting
> > analyst's thought process (rule content, related alerts, ip arin/whois
> data)
> > It integrates with OpenFPC and Solera DeepSee products for Full Packet
> > Capture.
> > It has exportable and beautiful PDF reports and metrics.
> >
> > The security industry is evolving so rapidly that choosing a dead project
> > like BASE for your SOC, MSSP, CIRT, or even personal use is just setting
> you
> > up for failure.
> >
> > Other people agree with this assessment and that is why the project has
> been
> > accepted into Security Onion Distro and featured on The Change Log.
> > Other analysts are excited about Snorby as well. Check out these
> articles:
> >
> > http://beboblog.johnbebo.com/2011/08/13/snorby-as-ids.aspx
> > http://www.aldeid.com/wiki/An-interesting-forensics-analysis
> >
> > If you want to check out Snorby check out our live demo at
> > http://demo.snorby.org (u: demo at ...15054..., p: snorby)
> > If you want to test out Snorby in your environment, check out
> Insta-Snorby
> > (www.snorby.org), it's a turn-key Snorby.
> > Enjoy the project and please support us!
> > Mephux and Terracatta
> > On Tue, Aug 23, 2011 at 7:34 PM, James Lay <jlay at ...13475...>
> wrote:
> >>
> >>
> >> On 8/23/11 5:04 PM, "alexus" <alexus at ...11827...> wrote:
> >>
> >> >I was wondering what's popular/good web interfaces these days?
> >> >
> >> >--
> >> >http://alexus.org/
> >> >
> >>
> >> >
> >--------------------------------------------------------------------------
> >> >----
> >> >EMC VNX: the world's simplest storage, starting under $10K
> >> >The only unified storage solution that offers unified management
> >> >Up to 160% more powerful than alternatives and 25% more efficient.
> >> >Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> >> >_______________________________________________
> >> >Snort-users mailing list
> >> >Snort-users at lists.sourceforge.net
> >> >Go to this URL to change user options or unsubscribe:
> >> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >> >Snort-users list archive:
> >> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >> >
> >> >Please visit http://blog.snort.org to stay current on all the latest
> >> >Snort news!
> >>
> >> BASE seems to give the maximum amount of information/reports vs. ease of
> >> install.  SQueRT is awesome, but does require a few extra processes
> >> running.  Snorby is "ok"...not very good for reports at least in my
> >> experience.  For SQueRT and Snorby, it's pretty crucial that you have a
> >> tuned snort install since you don't have an easy method to delete
> entries.
> >>
> >> James
> >>
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> EMC VNX: the world's simplest storage, starting under $10K
> >> The only unified storage solution that offers unified management
> >> Up to 160% more powerful than alternatives and 25% more efficient.
> >> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> Snort
> >> news!
> >
> >
> >
> ------------------------------------------------------------------------------
> > EMC VNX: the world's simplest storage, starting under $10K
> > The only unified storage solution that offers unified management
> > Up to 160% more powerful than alternatives and 25% more efficient.
> > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
> >
>
>
> ------------------------------------------------------------------------------
> EMC VNX: the world's simplest storage, starting under $10K
> The only unified storage solution that offers unified management
> Up to 160% more powerful than alternatives and 25% more efficient.
> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110823/33ea9a84/attachment.html>


More information about the Snort-users mailing list