[Snort-users] snort web interface

Dustin Webber dustin.webber at ...11827...
Tue Aug 23 22:13:49 EDT 2011


Alex,

Like I said.. not trying to be mean.. think of it as `information security
intervention`. - Sometime the truth feels like an insult.. but its just the
truth.

Dustin W. Webber
Dustin.Webber at ...11827...


On Tue, Aug 23, 2011 at 10:10 PM, Alex Wright <wrightalexw at ...131...> wrote:

> I responded to the popular half. And agreed with you. I'm sure insults
> commonly progress things though.
>
>
>  Sent from Yahoo! Mail on Android
>
>  ------------------------------
> * From: * Dustin Webber <dustin.webber at ...11827...>;
> * To: * Alex Wright <wrightalexw at ...131...>;
> * Cc: * mcholste at ...11827... <mcholste at ...11827...>;
> snort-users at lists.sourceforge.net <snort-users at lists.sourceforge.net>;
>  * Subject: * Re: [Snort-users] snort web interface
> * Sent: * Wed, Aug 24, 2011 2:06:14 AM
>
>
> Well.. VI is pretty common.. but if you use that over VIM,, well you're
> just an idiot. -- dude, not trying to be mean.. but srsly.. you are setting
> us all back in evolution.. just stop.
>
> Dustin W. Webber
> Dustin.Webber at ...11827...
>
>
> On Tue, Aug 23, 2011 at 10:04 PM, Alex Wright <wrightalexw at ...131...>wrote:
>
>> Superiority doesn't prevent BASE from being common.
>>
>> -adam
>>
>>
>> Sent from Yahoo! Mail on Android
>>
>>  ------------------------------
>> * From: * Dustin Webber <dustin.webber at ...11827...>;
>> * To: * Martin Holste <mcholste at ...11827...>;
>> * Cc: * Snort <snort-users at lists.sourceforge.net>;
>>  * Subject: * Re: [Snort-users] snort web interface
>> * Sent: * Wed, Aug 24, 2011 1:55:52 AM
>>
>>   All,
>>
>> Very concerned with the comments by James Lay and Adam
>> Wright... Idiotic to say the least... anyways..
>>
>> Second, I don't think I have ever heard anyone sum up how important full
>> packet capture is then Martin Holste just did (since Bam/Richard of course).
>> I'm biases in this decision because I started and maintain snorby but if you
>> decided to use another tool please make sure it follows the NSM guidelines.
>> Sguil, snorby, Squert and the upcoming nsmframework are your best options
>> for a proper IR/NSM solutions.
>>
>> Martin, I would like to work with you on getting StreanDB a proper snorby
>> plugin/menu selection.
>>
>> Dustin W. Webber
>> Dustin.Webber at ...11827...
>> (913) 375-2798
>>
>>
>> On Tue, Aug 23, 2011 at 9:41 PM, Martin Holste <mcholste at ...11827...>wrote:
>>
>>> I agree with Jason:  BASE is dead and clunky, and not all that easy to
>>> install.  If you are looking for a dead simple install with no traffic
>>> integration, then I suggest having Snort (or barnyard) output to
>>> syslog and send it to a personal version of Splunk, which is free.
>>> You can get that up and running in about five minutes.  However,
>>> Snorby is superior and worth putting a few more (but not too many
>>> more) minutes of time because you get the packet integration.  In my
>>> opinion, unless you have access to the traffic you are inspecting with
>>> your IDS in some sort of raw form, you are operating a crippled
>>> installation and have no way to make informed decisions about good or
>>> bad events on the network.
>>>
>>> I will also mention that Snorby integrates with my
>>> StreamDB.googlecode.com project which is OpenFPC compatible, but
>>> several orders of magnitude faster than OpenFPC.  So my recommendation
>>> would be to use Snorby with StreamDB.  Sguil is rock solid, but pcap
>>> retrieval is just too slow for my taste, and so that precludes running
>>> Squert.
>>>
>>> On Tue, Aug 23, 2011 at 8:03 PM, Jason Meller <jason.meller at ...11827...>
>>> wrote:
>>> > Alexus,
>>> > Full disclosure, I work with Mephux on Snorby but I don't think James
>>> or
>>> > Alex correctly or accurately answered your question, so I wanted to
>>> throw in
>>> > my $0.02.
>>> >
>>> > BASE is a dead project and hasn't had a new feature pushed since 2008
>>> (3
>>> > years ago). It doesn't plug in with any of the packet capture
>>> frameworks out
>>> > there and its interface is disorganized compared to the other available
>>> > front-ends. It's dead, let's move on. Supporting a dead open-source
>>> project
>>> > hurts the actively developed efforts out there.
>>> >
>>> > Squert is a bad ass project in active development. One thing James
>>> didn't
>>> > mention though is that it requires SQUIL which utilizes an entirely
>>> > different DB schema than the ones provided by the snort/barnyard2 db
>>> output
>>> > plugins. SQUIL requires a bit more expertise to get up and running than
>>> your
>>> > standard Snort + front-end solution. If you want to go that route
>>> Squert is
>>> > a good SGUIL companion.
>>> >
>>> > Snorby is a RECENT development in the community, It was first
>>> introduced in
>>> > 2009 and has far surpassed BASE in functionality. I work with Mephux
>>> > developing Snorby and here are some of the reasons I would recommend it
>>> to
>>> > anyone:
>>> >
>>> > It's actively developed by two passionate NSM analysts.
>>> > It allows you to pivot on datapoints in the events without interrupting
>>> > analyst's thought process (rule content, related alerts, ip arin/whois
>>> data)
>>> > It integrates with OpenFPC and Solera DeepSee products for Full Packet
>>> > Capture.
>>> > It has exportable and beautiful PDF reports and metrics.
>>> >
>>> > The security industry is evolving so rapidly that choosing a dead
>>> project
>>> > like BASE for your SOC, MSSP, CIRT, or even personal use is just
>>> setting you
>>> > up for failure.
>>> >
>>> > Other people agree with this assessment and that is why the project has
>>> been
>>> > accepted into Security Onion Distro and featured on The Change Log.
>>> > Other analysts are excited about Snorby as well. Check out these
>>> articles:
>>> >
>>> > http://beboblog.johnbebo.com/2011/08/13/snorby-as-ids.aspx
>>> > http://www.aldeid.com/wiki/An-interesting-forensics-analysis
>>> >
>>> > If you want to check out Snorby check out our live demo at
>>> > http://demo.snorby.org (u: demo at ...15054..., p: snorby)
>>> > If you want to test out Snorby in your environment, check out
>>> Insta-Snorby
>>> > (www.snorby.org), it's a turn-key Snorby.
>>> > Enjoy the project and please support us!
>>> > Mephux and Terracatta
>>> > On Tue, Aug 23, 2011 at 7:34 PM, James Lay <jlay at ...13475...>
>>> wrote:
>>> >>
>>> >>
>>> >> On 8/23/11 5:04 PM, "alexus" <alexus at ...11827...> wrote:
>>> >>
>>> >> >I was wondering what's popular/good web interfaces these days?
>>> >> >
>>> >> >--
>>> >> >http://alexus.org/
>>> >> >
>>> >>
>>> >> >
>>> >--------------------------------------------------------------------------
>>> >> >----
>>> >> >EMC VNX: the world's simplest storage, starting under $10K
>>> >> >The only unified storage solution that offers unified management
>>> >> >Up to 160% more powerful than alternatives and 25% more efficient.
>>> >> >Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>>> >> >_______________________________________________
>>> >> >Snort-users mailing list
>>> >> >Snort-users at lists.sourceforge.net
>>> >> >Go to this URL to change user options or unsubscribe:
>>> >> >https://lists.sourceforge.net/lists/listinfo/snort-users
>>> >> >Snort-users list archive:
>>> >> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> >> >
>>> >> >Please visit http://blog.snort.org to stay current on all the latest
>>> >> >Snort news!
>>> >>
>>> >> BASE seems to give the maximum amount of information/reports vs. ease
>>> of
>>> >> install.  SQueRT is awesome, but does require a few extra processes
>>> >> running.  Snorby is "ok"...not very good for reports at least in my
>>> >> experience.  For SQueRT and Snorby, it's pretty crucial that you have
>>> a
>>> >> tuned snort install since you don't have an easy method to delete
>>> entries.
>>> >>
>>> >> James
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> ------------------------------------------------------------------------------
>>> >> EMC VNX: the world's simplest storage, starting under $10K
>>> >> The only unified storage solution that offers unified management
>>> >> Up to 160% more powerful than alternatives and 25% more efficient.
>>> >> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>>> >> _______________________________________________
>>> >> Snort-users mailing list
>>> >> Snort-users at lists.sourceforge.net
>>> >> Go to this URL to change user options or unsubscribe:
>>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> >> Snort-users list archive:
>>> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> >>
>>> >> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort
>>> >> news!
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > EMC VNX: the world's simplest storage, starting under $10K
>>> > The only unified storage solution that offers unified management
>>> > Up to 160% more powerful than alternatives and 25% more efficient.
>>> > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>>> > _______________________________________________
>>> > Snort-users mailing list
>>> > Snort-users at lists.sourceforge.net
>>> > Go to this URL to change user options or unsubscribe:
>>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>>> > Snort-users list archive:
>>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> >
>>> > Please visit http://blog.snort.org to stay current on all the latest
>>> Snort
>>> > news!
>>> >
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> EMC VNX: the world's simplest storage, starting under $10K
>>> The only unified storage solution that offers unified management
>>> Up to 160% more powerful than alternatives and 25% more efficient.
>>> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110823/b222c3ff/attachment.html>


More information about the Snort-users mailing list