[Snort-users] snort web interface

Dustin Webber dustin.webber at ...11827...
Tue Aug 23 22:22:28 EDT 2011


Alex,

Pain?.. dude, you are using yahoo mail.. you really expected use to take you
seriously? You offered advise based on age?. `Whats the center of the
universe?` said person X. `Well, the sun obviously.. based on age and
commonality.`

please..

Dustin W. Webber
Dustin.Webber at ...11827...


On Tue, Aug 23, 2011 at 10:19 PM, Alex Wright <wrightalexw at ...131...> wrote:

> So much pain.
>
>
> Sent from Yahoo! Mail on Android
>
>  ------------------------------
> * From: * Dustin Webber <dustin.webber at ...11827...>;
> * To: * Alex Wright <wrightalexw at ...131...>;
> * Cc: * mcholste at ...11827... <mcholste at ...11827...>;
> snort-users at lists.sourceforge.net <snort-users at lists.sourceforge.net>;
> * Subject: * Re: [Snort-users] snort web interface
> * Sent: * Wed, Aug 24, 2011 2:13:49 AM
>
>
> Alex,
>
> Like I said.. not trying to be mean.. think of it as `information security
> intervention`. - Sometime the truth feels like an insult.. but its just
> the truth.
>
> Dustin W. Webber
> Dustin.Webber at ...11827...
>
>
> On Tue, Aug 23, 2011 at 10:10 PM, Alex Wright <wrightalexw at ...131...>wrote:
>
>>  I responded to the popular half. And agreed with you. I'm sure insults
>> commonly progress things though.
>>
>>
>>  Sent from Yahoo! Mail on Android
>>
>>  ------------------------------
>> * From: * Dustin Webber <dustin.webber at ...11827...>;
>> * To: * Alex Wright <wrightalexw at ...131...>;
>> * Cc: * mcholste at ...11827... <mcholste at ...11827...>;
>> snort-users at lists.sourceforge.net <snort-users at lists.sourceforge.net>;
>>  * Subject: * Re: [Snort-users] snort web interface
>> * Sent: * Wed, Aug 24, 2011 2:06:14 AM
>>
>>
>> Well.. VI is pretty common.. but if you use that over VIM,, well you're
>> just an idiot. -- dude, not trying to be mean.. but srsly.. you are setting
>> us all back in evolution.. just stop.
>>
>> Dustin W. Webber
>> Dustin.Webber at ...11827...
>>
>>
>> On Tue, Aug 23, 2011 at 10:04 PM, Alex Wright <wrightalexw at ...131...>wrote:
>>
>>>  Superiority doesn't prevent BASE from being common.
>>>
>>> -adam
>>>
>>>
>>> Sent from Yahoo! Mail on Android
>>>
>>>  ------------------------------
>>> * From: * Dustin Webber <dustin.webber at ...11827...>;
>>> * To: * Martin Holste <mcholste at ...11827...>;
>>> * Cc: * Snort <snort-users at lists.sourceforge.net>;
>>>  * Subject: * Re: [Snort-users] snort web interface
>>> * Sent: * Wed, Aug 24, 2011 1:55:52 AM
>>>
>>>   All,
>>>
>>> Very concerned with the comments by James Lay and Adam
>>> Wright... Idiotic to say the least... anyways..
>>>
>>> Second, I don't think I have ever heard anyone sum up how important full
>>> packet capture is then Martin Holste just did (since Bam/Richard of course).
>>> I'm biases in this decision because I started and maintain snorby but if you
>>> decided to use another tool please make sure it follows the NSM guidelines.
>>> Sguil, snorby, Squert and the upcoming nsmframework are your best
>>> options for a proper IR/NSM solutions.
>>>
>>> Martin, I would like to work with you on getting StreanDB a proper snorby
>>> plugin/menu selection.
>>>
>>> Dustin W. Webber
>>> Dustin.Webber at ...11827...
>>> (913) 375-2798
>>>
>>>
>>> On Tue, Aug 23, 2011 at 9:41 PM, Martin Holste <mcholste at ...11827...>wrote:
>>>
>>>> I agree with Jason:  BASE is dead and clunky, and not all that easy to
>>>> install.  If you are looking for a dead simple install with no traffic
>>>> integration, then I suggest having Snort (or barnyard) output to
>>>> syslog and send it to a personal version of Splunk, which is free.
>>>> You can get that up and running in about five minutes.  However,
>>>> Snorby is superior and worth putting a few more (but not too many
>>>> more) minutes of time because you get the packet integration.  In my
>>>> opinion, unless you have access to the traffic you are inspecting with
>>>> your IDS in some sort of raw form, you are operating a crippled
>>>> installation and have no way to make informed decisions about good or
>>>> bad events on the network.
>>>>
>>>> I will also mention that Snorby integrates with my
>>>> StreamDB.googlecode.com project which is OpenFPC compatible, but
>>>> several orders of magnitude faster than OpenFPC.  So my recommendation
>>>> would be to use Snorby with StreamDB.  Sguil is rock solid, but pcap
>>>> retrieval is just too slow for my taste, and so that precludes running
>>>> Squert.
>>>>
>>>> On Tue, Aug 23, 2011 at 8:03 PM, Jason Meller <jason.meller at ...11827...>
>>>> wrote:
>>>> > Alexus,
>>>> > Full disclosure, I work with Mephux on Snorby but I don't think James
>>>> or
>>>> > Alex correctly or accurately answered your question, so I wanted to
>>>> throw in
>>>> > my $0.02.
>>>> >
>>>> > BASE is a dead project and hasn't had a new feature pushed since 2008
>>>> (3
>>>> > years ago). It doesn't plug in with any of the packet capture
>>>> frameworks out
>>>> > there and its interface is disorganized compared to the other
>>>> available
>>>> > front-ends. It's dead, let's move on. Supporting a dead open-source
>>>> project
>>>> > hurts the actively developed efforts out there.
>>>> >
>>>> > Squert is a bad ass project in active development. One thing James
>>>> didn't
>>>> > mention though is that it requires SQUIL which utilizes an entirely
>>>> > different DB schema than the ones provided by the snort/barnyard2 db
>>>> output
>>>> > plugins. SQUIL requires a bit more expertise to get up and running
>>>> than your
>>>> > standard Snort + front-end solution. If you want to go that route
>>>> Squert is
>>>> > a good SGUIL companion.
>>>> >
>>>> > Snorby is a RECENT development in the community, It was first
>>>> introduced in
>>>> > 2009 and has far surpassed BASE in functionality. I work with Mephux
>>>> > developing Snorby and here are some of the reasons I would recommend
>>>> it to
>>>> > anyone:
>>>> >
>>>> > It's actively developed by two passionate NSM analysts.
>>>> > It allows you to pivot on datapoints in the events without
>>>> interrupting
>>>> > analyst's thought process (rule content, related alerts, ip arin/whois
>>>> data)
>>>> > It integrates with OpenFPC and Solera DeepSee products for Full Packet
>>>> > Capture.
>>>> > It has exportable and beautiful PDF reports and metrics.
>>>> >
>>>> > The security industry is evolving so rapidly that choosing a dead
>>>> project
>>>> > like BASE for your SOC, MSSP, CIRT, or even personal use is just
>>>> setting you
>>>> > up for failure.
>>>> >
>>>> > Other people agree with this assessment and that is why the project
>>>> has been
>>>> > accepted into Security Onion Distro and featured on The Change Log.
>>>> > Other analysts are excited about Snorby as well. Check out these
>>>> articles:
>>>> >
>>>> > http://beboblog.johnbebo.com/2011/08/13/snorby-as-ids.aspx
>>>> > http://www.aldeid.com/wiki/An-interesting-forensics-analysis
>>>> >
>>>> > If you want to check out Snorby check out our live demo at
>>>> > http://demo.snorby.org (u: demo at ...15054..., p: snorby)
>>>> > If you want to test out Snorby in your environment, check out
>>>> Insta-Snorby
>>>> > (www.snorby.org), it's a turn-key Snorby.
>>>> > Enjoy the project and please support us!
>>>> > Mephux and Terracatta
>>>> > On Tue, Aug 23, 2011 at 7:34 PM, James Lay <jlay at ...13475...>
>>>> wrote:
>>>> >>
>>>> >>
>>>> >> On 8/23/11 5:04 PM, "alexus" <alexus at ...11827...> wrote:
>>>> >>
>>>> >> >I was wondering what's popular/good web interfaces these days?
>>>> >> >
>>>> >> >--
>>>> >> >http://alexus.org/
>>>> >> >
>>>> >>
>>>> >> >
>>>> >--------------------------------------------------------------------------
>>>> >> >----
>>>> >> >EMC VNX: the world's simplest storage, starting under $10K
>>>> >> >The only unified storage solution that offers unified management
>>>> >> >Up to 160% more powerful than alternatives and 25% more efficient.
>>>> >> >Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>>>> >> >_______________________________________________
>>>> >> >Snort-users mailing list
>>>> >> >Snort-users at lists.sourceforge.net
>>>> >> >Go to this URL to change user options or unsubscribe:
>>>> >> >https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> >> >Snort-users list archive:
>>>> >> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>> >> >
>>>> >> >Please visit http://blog.snort.org to stay current on all the
>>>> latest
>>>> >> >Snort news!
>>>> >>
>>>> >> BASE seems to give the maximum amount of information/reports vs. ease
>>>> of
>>>> >> install.  SQueRT is awesome, but does require a few extra processes
>>>> >> running.  Snorby is "ok"...not very good for reports at least in my
>>>> >> experience.  For SQueRT and Snorby, it's pretty crucial that you have
>>>> a
>>>> >> tuned snort install since you don't have an easy method to delete
>>>> entries.
>>>> >>
>>>> >> James
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> ------------------------------------------------------------------------------
>>>> >> EMC VNX: the world's simplest storage, starting under $10K
>>>> >> The only unified storage solution that offers unified management
>>>> >> Up to 160% more powerful than alternatives and 25% more efficient.
>>>> >> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>>>> >> _______________________________________________
>>>> >> Snort-users mailing list
>>>> >> Snort-users at lists.sourceforge.net
>>>> >> Go to this URL to change user options or unsubscribe:
>>>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> >> Snort-users list archive:
>>>> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>> >>
>>>> >> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort
>>>> >> news!
>>>> >
>>>> >
>>>> >
>>>> ------------------------------------------------------------------------------
>>>> > EMC VNX: the world's simplest storage, starting under $10K
>>>> > The only unified storage solution that offers unified management
>>>> > Up to 160% more powerful than alternatives and 25% more efficient.
>>>> > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>>>> > _______________________________________________
>>>> > Snort-users mailing list
>>>> > Snort-users at lists.sourceforge.net
>>>> > Go to this URL to change user options or unsubscribe:
>>>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> > Snort-users list archive:
>>>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>> >
>>>> > Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort
>>>> > news!
>>>> >
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> EMC VNX: the world's simplest storage, starting under $10K
>>>> The only unified storage solution that offers unified management
>>>> Up to 160% more powerful than alternatives and 25% more efficient.
>>>> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110823/646c4a13/attachment.html>


More information about the Snort-users mailing list