[Snort-users] snort web interface

Dustin Webber dustin.webber at ...11827...
Tue Aug 23 22:06:14 EDT 2011


Well.. VI is pretty common.. but if you use that over VIM,, well you're just
an idiot. -- dude, not trying to be mean.. but srsly.. you are setting us
all back in evolution.. just stop.

Dustin W. Webber
Dustin.Webber at ...11827...


On Tue, Aug 23, 2011 at 10:04 PM, Alex Wright <wrightalexw at ...131...> wrote:

> Superiority doesn't prevent BASE from being common.
>
> -adam
>
>
> Sent from Yahoo! Mail on Android
>
>  ------------------------------
> * From: * Dustin Webber <dustin.webber at ...11827...>;
> * To: * Martin Holste <mcholste at ...11827...>;
> * Cc: * Snort <snort-users at lists.sourceforge.net>;
>  * Subject: * Re: [Snort-users] snort web interface
> * Sent: * Wed, Aug 24, 2011 1:55:52 AM
>
>   All,
>
> Very concerned with the comments by James Lay and Adam Wright... Idiotic to
> say the least... anyways..
>
> Second, I don't think I have ever heard anyone sum up how important full
> packet capture is then Martin Holste just did (since Bam/Richard of course).
> I'm biases in this decision because I started and maintain snorby but if you
> decided to use another tool please make sure it follows the NSM guidelines.
> Sguil, snorby, Squert and the upcoming nsmframework are your best options
> for a proper IR/NSM solutions.
>
> Martin, I would like to work with you on getting StreanDB a proper snorby
> plugin/menu selection.
>
> Dustin W. Webber
> Dustin.Webber at ...11827...
> (913) 375-2798
>
>
> On Tue, Aug 23, 2011 at 9:41 PM, Martin Holste <mcholste at ...11827...> wrote:
>
>> I agree with Jason:  BASE is dead and clunky, and not all that easy to
>> install.  If you are looking for a dead simple install with no traffic
>> integration, then I suggest having Snort (or barnyard) output to
>> syslog and send it to a personal version of Splunk, which is free.
>> You can get that up and running in about five minutes.  However,
>> Snorby is superior and worth putting a few more (but not too many
>> more) minutes of time because you get the packet integration.  In my
>> opinion, unless you have access to the traffic you are inspecting with
>> your IDS in some sort of raw form, you are operating a crippled
>> installation and have no way to make informed decisions about good or
>> bad events on the network.
>>
>> I will also mention that Snorby integrates with my
>> StreamDB.googlecode.com project which is OpenFPC compatible, but
>> several orders of magnitude faster than OpenFPC.  So my recommendation
>> would be to use Snorby with StreamDB.  Sguil is rock solid, but pcap
>> retrieval is just too slow for my taste, and so that precludes running
>> Squert.
>>
>> On Tue, Aug 23, 2011 at 8:03 PM, Jason Meller <jason.meller at ...11827...>
>> wrote:
>> > Alexus,
>> > Full disclosure, I work with Mephux on Snorby but I don't think James or
>> > Alex correctly or accurately answered your question, so I wanted to
>> throw in
>> > my $0.02.
>> >
>> > BASE is a dead project and hasn't had a new feature pushed since 2008 (3
>> > years ago). It doesn't plug in with any of the packet capture frameworks
>> out
>> > there and its interface is disorganized compared to the other available
>> > front-ends. It's dead, let's move on. Supporting a dead open-source
>> project
>> > hurts the actively developed efforts out there.
>> >
>> > Squert is a bad ass project in active development. One thing James
>> didn't
>> > mention though is that it requires SQUIL which utilizes an entirely
>> > different DB schema than the ones provided by the snort/barnyard2 db
>> output
>> > plugins. SQUIL requires a bit more expertise to get up and running than
>> your
>> > standard Snort + front-end solution. If you want to go that route Squert
>> is
>> > a good SGUIL companion.
>> >
>> > Snorby is a RECENT development in the community, It was first introduced
>> in
>> > 2009 and has far surpassed BASE in functionality. I work with Mephux
>> > developing Snorby and here are some of the reasons I would recommend it
>> to
>> > anyone:
>> >
>> > It's actively developed by two passionate NSM analysts.
>> > It allows you to pivot on datapoints in the events without interrupting
>> > analyst's thought process (rule content, related alerts, ip arin/whois
>> data)
>> > It integrates with OpenFPC and Solera DeepSee products for Full Packet
>> > Capture.
>> > It has exportable and beautiful PDF reports and metrics.
>> >
>> > The security industry is evolving so rapidly that choosing a dead
>> project
>> > like BASE for your SOC, MSSP, CIRT, or even personal use is just setting
>> you
>> > up for failure.
>> >
>> > Other people agree with this assessment and that is why the project has
>> been
>> > accepted into Security Onion Distro and featured on The Change Log.
>> > Other analysts are excited about Snorby as well. Check out these
>> articles:
>> >
>> > http://beboblog.johnbebo.com/2011/08/13/snorby-as-ids.aspx
>> > http://www.aldeid.com/wiki/An-interesting-forensics-analysis
>> >
>> > If you want to check out Snorby check out our live demo at
>> > http://demo.snorby.org (u: demo at ...15054..., p: snorby)
>> > If you want to test out Snorby in your environment, check out
>> Insta-Snorby
>> > (www.snorby.org), it's a turn-key Snorby.
>> > Enjoy the project and please support us!
>> > Mephux and Terracatta
>> > On Tue, Aug 23, 2011 at 7:34 PM, James Lay <jlay at ...13475...>
>> wrote:
>> >>
>> >>
>> >> On 8/23/11 5:04 PM, "alexus" <alexus at ...11827...> wrote:
>> >>
>> >> >I was wondering what's popular/good web interfaces these days?
>> >> >
>> >> >--
>> >> >http://alexus.org/
>> >> >
>> >>
>> >> >
>> >--------------------------------------------------------------------------
>> >> >----
>> >> >EMC VNX: the world's simplest storage, starting under $10K
>> >> >The only unified storage solution that offers unified management
>> >> >Up to 160% more powerful than alternatives and 25% more efficient.
>> >> >Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>> >> >_______________________________________________
>> >> >Snort-users mailing list
>> >> >Snort-users at lists.sourceforge.net
>> >> >Go to this URL to change user options or unsubscribe:
>> >> >https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> >Snort-users list archive:
>> >> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >
>> >> >Please visit http://blog.snort.org to stay current on all the latest
>> >> >Snort news!
>> >>
>> >> BASE seems to give the maximum amount of information/reports vs. ease
>> of
>> >> install.  SQueRT is awesome, but does require a few extra processes
>> >> running.  Snorby is "ok"...not very good for reports at least in my
>> >> experience.  For SQueRT and Snorby, it's pretty crucial that you have a
>> >> tuned snort install since you don't have an easy method to delete
>> entries.
>> >>
>> >> James
>> >>
>> >>
>> >>
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> EMC VNX: the world's simplest storage, starting under $10K
>> >> The only unified storage solution that offers unified management
>> >> Up to 160% more powerful than alternatives and 25% more efficient.
>> >> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>> >> _______________________________________________
>> >> Snort-users mailing list
>> >> Snort-users at lists.sourceforge.net
>> >> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> Snort-users list archive:
>> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >>
>> >> Please visit http://blog.snort.org to stay current on all the latest
>> Snort
>> >> news!
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > EMC VNX: the world's simplest storage, starting under $10K
>> > The only unified storage solution that offers unified management
>> > Up to 160% more powerful than alternatives and 25% more efficient.
>> > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> Snort
>> > news!
>> >
>>
>>
>> ------------------------------------------------------------------------------
>> EMC VNX: the world's simplest storage, starting under $10K
>> The only unified storage solution that offers unified management
>> Up to 160% more powerful than alternatives and 25% more efficient.
>> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110823/0b1743e2/attachment.html>


More information about the Snort-users mailing list