[Snort-users] snort web interface

Dustin Webber dustin.webber at ...11827...
Tue Aug 23 22:16:11 EDT 2011


Shawn,

No reason to say `Unfortunately` - you are doing proper IR. If you
contributed to BASE to add this functionality.. then.. you know what you are
doing.. not much I can say to that.

Dustin W. Webber
Dustin.Webber at ...11827...


On Tue, Aug 23, 2011 at 10:13 PM, Jefferson, Shawn <
Shawn.Jefferson at ...14448...> wrote:

>  I agree that full packet capture is essential, IMO… and I use both
> OpenFPC and StreamDB, since they both have their strong points and
> weaknesses.  Everyone should have this setup to really be able to
> investigate events from IDS.
>
>
>
> I also have integration into systems management (ie. Does this alert
> correlate with vulnerabilities on the box?), and also correlation with my
> endpoint protection system as well.  Unfortunatley, I am currently doing
> this via BASE and some custom code.  I’ve found this very helpful too, and
> it makes analysts more efficient.
>
>
>
>
>
>
>  ------------------------------
>
> *From:* Dustin Webber [mailto:dustin.webber at ...11827...]
> *Sent:* August 23, 2011 6:56 PM
> *To:* Martin Holste
> *Cc:* Snort
>
> *Subject:* Re: [Snort-users] snort web interface
>
>
>
> All,
>
>
>
> Very concerned with the comments by James Lay and Adam Wright... Idiotic to
> say the least... anyways..
>
>
>
> Second, I don't think I have ever heard anyone sum up how important full
> packet capture is then Martin Holste just did (since Bam/Richard of course).
> I'm biases in this decision because I started and maintain snorby but if you
> decided to use another tool please make sure it follows the NSM guidelines.
> Sguil, snorby, Squert and the upcoming nsmframework are your best options
> for a proper IR/NSM solutions.
>
>
>
> Martin, I would like to work with you on getting StreanDB a proper snorby
> plugin/menu selection.
>
>
> Dustin W. Webber
> Dustin.Webber at ...11827...
> (913) 375-2798
>
>  On Tue, Aug 23, 2011 at 9:41 PM, Martin Holste <mcholste at ...11827...>
> wrote:
>
> I agree with Jason:  BASE is dead and clunky, and not all that easy to
> install.  If you are looking for a dead simple install with no traffic
> integration, then I suggest having Snort (or barnyard) output to
> syslog and send it to a personal version of Splunk, which is free.
> You can get that up and running in about five minutes.  However,
> Snorby is superior and worth putting a few more (but not too many
> more) minutes of time because you get the packet integration.  In my
> opinion, unless you have access to the traffic you are inspecting with
> your IDS in some sort of raw form, you are operating a crippled
> installation and have no way to make informed decisions about good or
> bad events on the network.
>
> I will also mention that Snorby integrates with my
> StreamDB.googlecode.com project which is OpenFPC compatible, but
> several orders of magnitude faster than OpenFPC.  So my recommendation
> would be to use Snorby with StreamDB.  Sguil is rock solid, but pcap
> retrieval is just too slow for my taste, and so that precludes running
> Squert.
>
>
> On Tue, Aug 23, 2011 at 8:03 PM, Jason Meller <jason.meller at ...11827...>
> wrote:
>
> > Alexus,
> > Full disclosure, I work with Mephux on Snorby but I don't think James or
> > Alex correctly or accurately answered your question, so I wanted to throw
> in
> > my $0.02.
> >
> > BASE is a dead project and hasn't had a new feature pushed since 2008 (3
> > years ago). It doesn't plug in with any of the packet capture frameworks
> out
> > there and its interface is disorganized compared to the other available
> > front-ends. It's dead, let's move on. Supporting a dead open-source
> project
> > hurts the actively developed efforts out there.
> >
> > Squert is a bad ass project in active development. One thing James didn't
> > mention though is that it requires SQUIL which utilizes an entirely
> > different DB schema than the ones provided by the snort/barnyard2 db
> output
> > plugins. SQUIL requires a bit more expertise to get up and running than
> your
> > standard Snort + front-end solution. If you want to go that route Squert
> is
> > a good SGUIL companion.
> >
> > Snorby is a RECENT development in the community, It was first introduced
> in
> > 2009 and has far surpassed BASE in functionality. I work with Mephux
> > developing Snorby and here are some of the reasons I would recommend it
> to
> > anyone:
> >
> > It's actively developed by two passionate NSM analysts.
> > It allows you to pivot on datapoints in the events without interrupting
> > analyst's thought process (rule content, related alerts, ip arin/whois
> data)
> > It integrates with OpenFPC and Solera DeepSee products for Full Packet
> > Capture.
> > It has exportable and beautiful PDF reports and metrics.
> >
> > The security industry is evolving so rapidly that choosing a dead project
> > like BASE for your SOC, MSSP, CIRT, or even personal use is just setting
> you
> > up for failure.
> >
> > Other people agree with this assessment and that is why the project has
> been
> > accepted into Security Onion Distro and featured on The Change Log.
> > Other analysts are excited about Snorby as well. Check out these
> articles:
> >
> > http://beboblog.johnbebo.com/2011/08/13/snorby-as-ids.aspx
> > http://www.aldeid.com/wiki/An-interesting-forensics-analysis
> >
> > If you want to check out Snorby check out our live demo at
> > http://demo.snorby.org (u: demo at ...15054..., p: snorby)
> > If you want to test out Snorby in your environment, check out
> Insta-Snorby
> > (www.snorby.org), it's a turn-key Snorby.
> > Enjoy the project and please support us!
> > Mephux and Terracatta
> > On Tue, Aug 23, 2011 at 7:34 PM, James Lay <jlay at ...13475...>
> wrote:
> >>
> >>
> >> On 8/23/11 5:04 PM, "alexus" <alexus at ...11827...> wrote:
> >>
> >> >I was wondering what's popular/good web interfaces these days?
> >> >
> >> >--
> >> >http://alexus.org/
> >> >
> >>
> >> >
> >--------------------------------------------------------------------------
> >> >----
> >> >EMC VNX: the world's simplest storage, starting under $10K
> >> >The only unified storage solution that offers unified management
> >> >Up to 160% more powerful than alternatives and 25% more efficient.
> >> >Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> >> >_______________________________________________
> >> >Snort-users mailing list
> >> >Snort-users at lists.sourceforge.net
> >> >Go to this URL to change user options or unsubscribe:
> >> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >> >Snort-users list archive:
> >> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >> >
> >> >Please visit http://blog.snort.org to stay current on all the latest
> >> >Snort news!
> >>
> >> BASE seems to give the maximum amount of information/reports vs. ease of
> >> install.  SQueRT is awesome, but does require a few extra processes
> >> running.  Snorby is "ok"...not very good for reports at least in my
> >> experience.  For SQueRT and Snorby, it's pretty crucial that you have a
> >> tuned snort install since you don't have an easy method to delete
> entries.
> >>
> >> James
> >>
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> EMC VNX: the world's simplest storage, starting under $10K
> >> The only unified storage solution that offers unified management
> >> Up to 160% more powerful than alternatives and 25% more efficient.
> >> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> Snort
> >> news!
> >
> >
>
> >
> ------------------------------------------------------------------------------
>
> > EMC VNX: the world's simplest storage, starting under $10K
> > The only unified storage solution that offers unified management
> > Up to 160% more powerful than alternatives and 25% more efficient.
> > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
> >
>
>
> ------------------------------------------------------------------------------
>
> EMC VNX: the world's simplest storage, starting under $10K
> The only unified storage solution that offers unified management
> Up to 160% more powerful than alternatives and 25% more efficient.
> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110823/21068678/attachment.html>


More information about the Snort-users mailing list