[Snort-users] snort web interface

Dustin Webber dustin.webber at ...11827...
Tue Aug 23 22:35:14 EDT 2011


Alex,

The yahoo reference was intended to provoke conversation about change.
People tend to have a confort zone about software that is inevitably leading
to his/her doom. As a software engineer i don' even understand the word
`preference` or `preferrer`.. only what is suitable for the current problem.

By all means.. continue using BASE if you are comfortable with it and if its
a common dependence. I mean, people still write lisp.. so i guess thats ok,,
right?

Dustin W. Webber
Dustin.Webber at ...11827...


On Tue, Aug 23, 2011 at 10:27 PM, Alex Wright <wrightalexw at ...131...> wrote:

> I have a gmail also. I can reg that if it makes the gods happy. I responded
> saying BASE is standard oh no. It is a common standard. OSS means you
> decide.
>
>
> Sent from Yahoo! Mail on Android
>
>  ------------------------------
> * From: * Dustin Webber <dustin.webber at ...11827...>;
> * To: * Alex Wright <wrightalexw at ...131...>;
> * Cc: * mcholste at ...11827... <mcholste at ...11827...>;
> snort-users at lists.sourceforge.net <snort-users at lists.sourceforge.net>;
> * Subject: * Re: [Snort-users] snort web interface
> * Sent: * Wed, Aug 24, 2011 2:22:28 AM
>
>   Alex,
>
> Pain?.. dude, you are using yahoo mail.. you really expected use to take
> you seriously? You offered advise based on age?. `Whats the center of the
> universe?` said person X. `Well, the sun obviously.. based on age and
> commonality.`
>
> please..
>
> Dustin W. Webber
> Dustin.Webber at ...11827...
>
>
> On Tue, Aug 23, 2011 at 10:19 PM, Alex Wright <wrightalexw at ...131...>wrote:
>
>> So much pain.
>>
>>
>> Sent from Yahoo! Mail on Android
>>
>>  ------------------------------
>> * From: * Dustin Webber <dustin.webber at ...11827...>;
>> * To: * Alex Wright <wrightalexw at ...131...>;
>> * Cc: * mcholste at ...11827... <mcholste at ...11827...>;
>> snort-users at lists.sourceforge.net <snort-users at lists.sourceforge.net>;
>> * Subject: * Re: [Snort-users] snort web interface
>> * Sent: * Wed, Aug 24, 2011 2:13:49 AM
>>
>>
>> Alex,
>>
>> Like I said.. not trying to be mean.. think of it as `information security
>> intervention`. - Sometime the truth feels like an insult.. but its just
>> the truth.
>>
>> Dustin W. Webber
>> Dustin.Webber at ...11827...
>>
>>
>> On Tue, Aug 23, 2011 at 10:10 PM, Alex Wright <wrightalexw at ...131...>wrote:
>>
>>>  I responded to the popular half. And agreed with you. I'm sure insults
>>> commonly progress things though.
>>>
>>>
>>>  Sent from Yahoo! Mail on Android
>>>
>>>  ------------------------------
>>> * From: * Dustin Webber <dustin.webber at ...11827...>;
>>> * To: * Alex Wright <wrightalexw at ...131...>;
>>> * Cc: * mcholste at ...11827... <mcholste at ...11827...>;
>>> snort-users at lists.sourceforge.net <snort-users at lists.sourceforge.net>;
>>>  * Subject: * Re: [Snort-users] snort web interface
>>> * Sent: * Wed, Aug 24, 2011 2:06:14 AM
>>>
>>>
>>> Well.. VI is pretty common.. but if you use that over VIM,, well you're
>>> just an idiot. -- dude, not trying to be mean.. but srsly.. you are setting
>>> us all back in evolution.. just stop.
>>>
>>> Dustin W. Webber
>>> Dustin.Webber at ...11827...
>>>
>>>
>>> On Tue, Aug 23, 2011 at 10:04 PM, Alex Wright <wrightalexw at ...131...>wrote:
>>>
>>>>  Superiority doesn't prevent BASE from being common.
>>>>
>>>> -adam
>>>>
>>>>
>>>> Sent from Yahoo! Mail on Android
>>>>
>>>>  ------------------------------
>>>> * From: * Dustin Webber <dustin.webber at ...11827...>;
>>>> * To: * Martin Holste <mcholste at ...11827...>;
>>>> * Cc: * Snort <snort-users at lists.sourceforge.net>;
>>>>  * Subject: * Re: [Snort-users] snort web interface
>>>> * Sent: * Wed, Aug 24, 2011 1:55:52 AM
>>>>
>>>>   All,
>>>>
>>>> Very concerned with the comments by James Lay and Adam
>>>> Wright... Idiotic to say the least... anyways..
>>>>
>>>> Second, I don't think I have ever heard anyone sum up how important full
>>>> packet capture is then Martin Holste just did (since Bam/Richard of course).
>>>> I'm biases in this decision because I started and maintain snorby but if you
>>>> decided to use another tool please make sure it follows the NSM guidelines.
>>>> Sguil, snorby, Squert and the upcoming nsmframework are your best
>>>> options for a proper IR/NSM solutions.
>>>>
>>>> Martin, I would like to work with you on getting StreanDB a proper
>>>> snorby plugin/menu selection.
>>>>
>>>> Dustin W. Webber
>>>> Dustin.Webber at ...11827...
>>>> (913) 375-2798
>>>>
>>>>
>>>> On Tue, Aug 23, 2011 at 9:41 PM, Martin Holste <mcholste at ...11827...>wrote:
>>>>
>>>>> I agree with Jason:  BASE is dead and clunky, and not all that easy to
>>>>> install.  If you are looking for a dead simple install with no traffic
>>>>> integration, then I suggest having Snort (or barnyard) output to
>>>>> syslog and send it to a personal version of Splunk, which is free.
>>>>> You can get that up and running in about five minutes.  However,
>>>>> Snorby is superior and worth putting a few more (but not too many
>>>>> more) minutes of time because you get the packet integration.  In my
>>>>> opinion, unless you have access to the traffic you are inspecting with
>>>>> your IDS in some sort of raw form, you are operating a crippled
>>>>> installation and have no way to make informed decisions about good or
>>>>> bad events on the network.
>>>>>
>>>>> I will also mention that Snorby integrates with my
>>>>> StreamDB.googlecode.com project which is OpenFPC compatible, but
>>>>> several orders of magnitude faster than OpenFPC.  So my recommendation
>>>>> would be to use Snorby with StreamDB.  Sguil is rock solid, but pcap
>>>>> retrieval is just too slow for my taste, and so that precludes running
>>>>> Squert.
>>>>>
>>>>> On Tue, Aug 23, 2011 at 8:03 PM, Jason Meller <jason.meller at ...11827...>
>>>>> wrote:
>>>>> > Alexus,
>>>>> > Full disclosure, I work with Mephux on Snorby but I don't think James
>>>>> or
>>>>> > Alex correctly or accurately answered your question, so I wanted to
>>>>> throw in
>>>>> > my $0.02.
>>>>> >
>>>>> > BASE is a dead project and hasn't had a new feature pushed since 2008
>>>>> (3
>>>>> > years ago). It doesn't plug in with any of the packet capture
>>>>> frameworks out
>>>>> > there and its interface is disorganized compared to the other
>>>>> available
>>>>> > front-ends. It's dead, let's move on. Supporting a dead open-source
>>>>> project
>>>>> > hurts the actively developed efforts out there.
>>>>> >
>>>>> > Squert is a bad ass project in active development. One thing James
>>>>> didn't
>>>>> > mention though is that it requires SQUIL which utilizes an entirely
>>>>> > different DB schema than the ones provided by the snort/barnyard2 db
>>>>> output
>>>>> > plugins. SQUIL requires a bit more expertise to get up and running
>>>>> than your
>>>>> > standard Snort + front-end solution. If you want to go that route
>>>>> Squert is
>>>>> > a good SGUIL companion.
>>>>> >
>>>>> > Snorby is a RECENT development in the community, It was first
>>>>> introduced in
>>>>> > 2009 and has far surpassed BASE in functionality. I work with Mephux
>>>>> > developing Snorby and here are some of the reasons I would recommend
>>>>> it to
>>>>> > anyone:
>>>>> >
>>>>> > It's actively developed by two passionate NSM analysts.
>>>>> > It allows you to pivot on datapoints in the events without
>>>>> interrupting
>>>>> > analyst's thought process (rule content, related alerts, ip
>>>>> arin/whois data)
>>>>> > It integrates with OpenFPC and Solera DeepSee products for Full
>>>>> Packet
>>>>> > Capture.
>>>>> > It has exportable and beautiful PDF reports and metrics.
>>>>> >
>>>>> > The security industry is evolving so rapidly that choosing a dead
>>>>> project
>>>>> > like BASE for your SOC, MSSP, CIRT, or even personal use is just
>>>>> setting you
>>>>> > up for failure.
>>>>> >
>>>>> > Other people agree with this assessment and that is why the project
>>>>> has been
>>>>> > accepted into Security Onion Distro and featured on The Change Log.
>>>>> > Other analysts are excited about Snorby as well. Check out these
>>>>> articles:
>>>>> >
>>>>> > http://beboblog.johnbebo.com/2011/08/13/snorby-as-ids.aspx
>>>>> > http://www.aldeid.com/wiki/An-interesting-forensics-analysis
>>>>> >
>>>>> > If you want to check out Snorby check out our live demo at
>>>>> > http://demo.snorby.org (u: demo at ...15054..., p: snorby)
>>>>> > If you want to test out Snorby in your environment, check out
>>>>> Insta-Snorby
>>>>> > (www.snorby.org), it's a turn-key Snorby.
>>>>> > Enjoy the project and please support us!
>>>>> > Mephux and Terracatta
>>>>> > On Tue, Aug 23, 2011 at 7:34 PM, James Lay <jlay at ...13475...>
>>>>> wrote:
>>>>> >>
>>>>> >>
>>>>> >> On 8/23/11 5:04 PM, "alexus" <alexus at ...11827...> wrote:
>>>>> >>
>>>>> >> >I was wondering what's popular/good web interfaces these days?
>>>>> >> >
>>>>> >> >--
>>>>> >> >http://alexus.org/
>>>>> >> >
>>>>> >>
>>>>> >> >
>>>>> >--------------------------------------------------------------------------
>>>>> >> >----
>>>>> >> >EMC VNX: the world's simplest storage, starting under $10K
>>>>> >> >The only unified storage solution that offers unified management
>>>>> >> >Up to 160% more powerful than alternatives and 25% more efficient.
>>>>> >> >Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>>>>> >> >_______________________________________________
>>>>> >> >Snort-users mailing list
>>>>> >> >Snort-users at lists.sourceforge.net
>>>>> >> >Go to this URL to change user options or unsubscribe:
>>>>> >> >https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> >> >Snort-users list archive:
>>>>> >> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>> >> >
>>>>> >> >Please visit http://blog.snort.org to stay current on all the
>>>>> latest
>>>>> >> >Snort news!
>>>>> >>
>>>>> >> BASE seems to give the maximum amount of information/reports vs.
>>>>> ease of
>>>>> >> install.  SQueRT is awesome, but does require a few extra processes
>>>>> >> running.  Snorby is "ok"...not very good for reports at least in my
>>>>> >> experience.  For SQueRT and Snorby, it's pretty crucial that you
>>>>> have a
>>>>> >> tuned snort install since you don't have an easy method to delete
>>>>> entries.
>>>>> >>
>>>>> >> James
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> ------------------------------------------------------------------------------
>>>>> >> EMC VNX: the world's simplest storage, starting under $10K
>>>>> >> The only unified storage solution that offers unified management
>>>>> >> Up to 160% more powerful than alternatives and 25% more efficient.
>>>>> >> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>>>>> >> _______________________________________________
>>>>> >> Snort-users mailing list
>>>>> >> Snort-users at lists.sourceforge.net
>>>>> >> Go to this URL to change user options or unsubscribe:
>>>>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> >> Snort-users list archive:
>>>>> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>> >>
>>>>> >> Please visit http://blog.snort.org to stay current on all the
>>>>> latest Snort
>>>>> >> news!
>>>>> >
>>>>> >
>>>>> >
>>>>> ------------------------------------------------------------------------------
>>>>> > EMC VNX: the world's simplest storage, starting under $10K
>>>>> > The only unified storage solution that offers unified management
>>>>> > Up to 160% more powerful than alternatives and 25% more efficient.
>>>>> > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>>>>> > _______________________________________________
>>>>> > Snort-users mailing list
>>>>> > Snort-users at lists.sourceforge.net
>>>>> > Go to this URL to change user options or unsubscribe:
>>>>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> > Snort-users list archive:
>>>>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>> >
>>>>> > Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort
>>>>> > news!
>>>>> >
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> EMC VNX: the world's simplest storage, starting under $10K
>>>>> The only unified storage solution that offers unified management
>>>>> Up to 160% more powerful than alternatives and 25% more efficient.
>>>>> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort news!
>>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110823/5bd381f9/attachment.html>


More information about the Snort-users mailing list