[Snort-users] snort web interface

Dustin Webber dustin.webber at ...11827...
Tue Aug 23 22:45:24 EDT 2011


Alex,

Totally agree with you -- requirements dictate the tools, software and,
libraries.

Dustin W. Webber
Dustin.Webber at ...11827...


On Tue, Aug 23, 2011 at 10:41 PM, Alex Wright <wrightalexw at ...131...> wrote:

> This yahoo is a newer address. I will never tell someone what to use.
> Certain standards exist and will be used as necessary. I actually like
> snorby and their neat turnkey deal is a fun addition. People have their own
> reqs eh?
>
>
> Sent from Yahoo! Mail on Android
>
>  ------------------------------
> * From: * Dustin Webber <dustin.webber at ...11827...>;
> * To: * Alex Wright <wrightalexw at ...131...>;
> * Cc: * mcholste at ...11827... <mcholste at ...11827...>;
> snort-users at lists.sourceforge.net <snort-users at lists.sourceforge.net>;
> * Subject: * Re: [Snort-users] snort web interface
> * Sent: * Wed, Aug 24, 2011 2:35:14 AM
>
>   Alex,
>
> The yahoo reference was intended to provoke conversation about change.
> People tend to have a confort zone about software that is inevitably leading
> to his/her doom. As a software engineer i don' even understand the word
> `preference` or `preferrer`.. only what is suitable for the current problem.
>
> By all means.. continue using BASE if you are comfortable with it and if
> its a common dependence. I mean, people still write lisp.. so i guess thats
> ok,, right?
>
> Dustin W. Webber
> Dustin.Webber at ...11827...
>
>
> On Tue, Aug 23, 2011 at 10:27 PM, Alex Wright <wrightalexw at ...131...>wrote:
>
>> I have a gmail also. I can reg that if it makes the gods happy. I
>> responded saying BASE is standard oh no. It is a common standard. OSS means
>> you decide.
>>
>>
>> Sent from Yahoo! Mail on Android
>>
>>  ------------------------------
>> * From: * Dustin Webber <dustin.webber at ...11827...>;
>> * To: * Alex Wright <wrightalexw at ...131...>;
>> * Cc: * mcholste at ...11827... <mcholste at ...11827...>;
>> snort-users at lists.sourceforge.net <snort-users at lists.sourceforge.net>;
>> * Subject: * Re: [Snort-users] snort web interface
>> * Sent: * Wed, Aug 24, 2011 2:22:28 AM
>>
>>   Alex,
>>
>> Pain?.. dude, you are using yahoo mail.. you really expected use to take
>> you seriously? You offered advise based on age?. `Whats the center of the
>> universe?` said person X. `Well, the sun obviously.. based on age and
>> commonality.`
>>
>> please..
>>
>> Dustin W. Webber
>> Dustin.Webber at ...11827...
>>
>>
>> On Tue, Aug 23, 2011 at 10:19 PM, Alex Wright <wrightalexw at ...131...>wrote:
>>
>>> So much pain.
>>>
>>>
>>> Sent from Yahoo! Mail on Android
>>>
>>>  ------------------------------
>>> * From: * Dustin Webber <dustin.webber at ...11827...>;
>>> * To: * Alex Wright <wrightalexw at ...131...>;
>>> * Cc: * mcholste at ...11827... <mcholste at ...11827...>;
>>> snort-users at lists.sourceforge.net <snort-users at lists.sourceforge.net>;
>>> * Subject: * Re: [Snort-users] snort web interface
>>> * Sent: * Wed, Aug 24, 2011 2:13:49 AM
>>>
>>>
>>> Alex,
>>>
>>> Like I said.. not trying to be mean.. think of it as `information
>>> security intervention`. - Sometime the truth feels like an insult.. but
>>> its just the truth.
>>>
>>> Dustin W. Webber
>>> Dustin.Webber at ...11827...
>>>
>>>
>>> On Tue, Aug 23, 2011 at 10:10 PM, Alex Wright <wrightalexw at ...131...>wrote:
>>>
>>>>  I responded to the popular half. And agreed with you. I'm sure insults
>>>> commonly progress things though.
>>>>
>>>>
>>>>  Sent from Yahoo! Mail on Android
>>>>
>>>>  ------------------------------
>>>> * From: * Dustin Webber <dustin.webber at ...11827...>;
>>>> * To: * Alex Wright <wrightalexw at ...131...>;
>>>> * Cc: * mcholste at ...11827... <mcholste at ...11827...>;
>>>> snort-users at lists.sourceforge.net <snort-users at lists.sourceforge.net>;
>>>>  * Subject: * Re: [Snort-users] snort web interface
>>>> * Sent: * Wed, Aug 24, 2011 2:06:14 AM
>>>>
>>>>
>>>> Well.. VI is pretty common.. but if you use that over VIM,, well you're
>>>> just an idiot. -- dude, not trying to be mean.. but srsly.. you are setting
>>>> us all back in evolution.. just stop.
>>>>
>>>> Dustin W. Webber
>>>> Dustin.Webber at ...11827...
>>>>
>>>>
>>>> On Tue, Aug 23, 2011 at 10:04 PM, Alex Wright <wrightalexw at ...131...>wrote:
>>>>
>>>>>  Superiority doesn't prevent BASE from being common.
>>>>>
>>>>> -adam
>>>>>
>>>>>
>>>>> Sent from Yahoo! Mail on Android
>>>>>
>>>>>  ------------------------------
>>>>> * From: * Dustin Webber <dustin.webber at ...11827...>;
>>>>> * To: * Martin Holste <mcholste at ...11827...>;
>>>>> * Cc: * Snort <snort-users at lists.sourceforge.net>;
>>>>>  * Subject: * Re: [Snort-users] snort web interface
>>>>> * Sent: * Wed, Aug 24, 2011 1:55:52 AM
>>>>>
>>>>>   All,
>>>>>
>>>>> Very concerned with the comments by James Lay and Adam
>>>>> Wright... Idiotic to say the least... anyways..
>>>>>
>>>>> Second, I don't think I have ever heard anyone sum up how important
>>>>> full packet capture is then Martin Holste just did (since Bam/Richard of
>>>>> course). I'm biases in this decision because I started and maintain snorby
>>>>> but if you decided to use another tool please make sure it follows the
>>>>> NSM guidelines. Sguil, snorby, Squert and the upcoming nsmframework
>>>>> are your best options for a proper IR/NSM solutions.
>>>>>
>>>>> Martin, I would like to work with you on getting StreanDB a proper
>>>>> snorby plugin/menu selection.
>>>>>
>>>>> Dustin W. Webber
>>>>> Dustin.Webber at ...11827...
>>>>> (913) 375-2798
>>>>>
>>>>>
>>>>> On Tue, Aug 23, 2011 at 9:41 PM, Martin Holste <mcholste at ...11827...>wrote:
>>>>>
>>>>>> I agree with Jason:  BASE is dead and clunky, and not all that easy to
>>>>>> install.  If you are looking for a dead simple install with no traffic
>>>>>> integration, then I suggest having Snort (or barnyard) output to
>>>>>> syslog and send it to a personal version of Splunk, which is free.
>>>>>> You can get that up and running in about five minutes.  However,
>>>>>> Snorby is superior and worth putting a few more (but not too many
>>>>>> more) minutes of time because you get the packet integration.  In my
>>>>>> opinion, unless you have access to the traffic you are inspecting with
>>>>>> your IDS in some sort of raw form, you are operating a crippled
>>>>>> installation and have no way to make informed decisions about good or
>>>>>> bad events on the network.
>>>>>>
>>>>>> I will also mention that Snorby integrates with my
>>>>>> StreamDB.googlecode.com project which is OpenFPC compatible, but
>>>>>> several orders of magnitude faster than OpenFPC.  So my recommendation
>>>>>> would be to use Snorby with StreamDB.  Sguil is rock solid, but pcap
>>>>>> retrieval is just too slow for my taste, and so that precludes running
>>>>>> Squert.
>>>>>>
>>>>>> On Tue, Aug 23, 2011 at 8:03 PM, Jason Meller <jason.meller at ...11827...>
>>>>>> wrote:
>>>>>> > Alexus,
>>>>>> > Full disclosure, I work with Mephux on Snorby but I don't think
>>>>>> James or
>>>>>> > Alex correctly or accurately answered your question, so I wanted to
>>>>>> throw in
>>>>>> > my $0.02.
>>>>>> >
>>>>>> > BASE is a dead project and hasn't had a new feature pushed since
>>>>>> 2008 (3
>>>>>> > years ago). It doesn't plug in with any of the packet capture
>>>>>> frameworks out
>>>>>> > there and its interface is disorganized compared to the other
>>>>>> available
>>>>>> > front-ends. It's dead, let's move on. Supporting a dead open-source
>>>>>> project
>>>>>> > hurts the actively developed efforts out there.
>>>>>> >
>>>>>> > Squert is a bad ass project in active development. One thing James
>>>>>> didn't
>>>>>> > mention though is that it requires SQUIL which utilizes an entirely
>>>>>> > different DB schema than the ones provided by the snort/barnyard2 db
>>>>>> output
>>>>>> > plugins. SQUIL requires a bit more expertise to get up and running
>>>>>> than your
>>>>>> > standard Snort + front-end solution. If you want to go that route
>>>>>> Squert is
>>>>>> > a good SGUIL companion.
>>>>>> >
>>>>>> > Snorby is a RECENT development in the community, It was first
>>>>>> introduced in
>>>>>> > 2009 and has far surpassed BASE in functionality. I work with Mephux
>>>>>> > developing Snorby and here are some of the reasons I would recommend
>>>>>> it to
>>>>>> > anyone:
>>>>>> >
>>>>>> > It's actively developed by two passionate NSM analysts.
>>>>>> > It allows you to pivot on datapoints in the events without
>>>>>> interrupting
>>>>>> > analyst's thought process (rule content, related alerts, ip
>>>>>> arin/whois data)
>>>>>> > It integrates with OpenFPC and Solera DeepSee products for Full
>>>>>> Packet
>>>>>> > Capture.
>>>>>> > It has exportable and beautiful PDF reports and metrics.
>>>>>> >
>>>>>> > The security industry is evolving so rapidly that choosing a dead
>>>>>> project
>>>>>> > like BASE for your SOC, MSSP, CIRT, or even personal use is just
>>>>>> setting you
>>>>>> > up for failure.
>>>>>> >
>>>>>> > Other people agree with this assessment and that is why the project
>>>>>> has been
>>>>>> > accepted into Security Onion Distro and featured on The Change Log.
>>>>>> > Other analysts are excited about Snorby as well. Check out these
>>>>>> articles:
>>>>>> >
>>>>>> > http://beboblog.johnbebo.com/2011/08/13/snorby-as-ids.aspx
>>>>>> > http://www.aldeid.com/wiki/An-interesting-forensics-analysis
>>>>>> >
>>>>>> > If you want to check out Snorby check out our live demo at
>>>>>> > http://demo.snorby.org (u: demo at ...15054..., p: snorby)
>>>>>> > If you want to test out Snorby in your environment, check out
>>>>>> Insta-Snorby
>>>>>> > (www.snorby.org), it's a turn-key Snorby.
>>>>>> > Enjoy the project and please support us!
>>>>>> > Mephux and Terracatta
>>>>>> > On Tue, Aug 23, 2011 at 7:34 PM, James Lay <
>>>>>> jlay at ...13475...> wrote:
>>>>>> >>
>>>>>> >>
>>>>>> >> On 8/23/11 5:04 PM, "alexus" <alexus at ...11827...> wrote:
>>>>>> >>
>>>>>> >> >I was wondering what's popular/good web interfaces these days?
>>>>>> >> >
>>>>>> >> >--
>>>>>> >> >http://alexus.org/
>>>>>> >> >
>>>>>> >>
>>>>>> >> >
>>>>>> >--------------------------------------------------------------------------
>>>>>> >> >----
>>>>>> >> >EMC VNX: the world's simplest storage, starting under $10K
>>>>>> >> >The only unified storage solution that offers unified management
>>>>>> >> >Up to 160% more powerful than alternatives and 25% more efficient.
>>>>>> >> >Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>>>>>> >> >_______________________________________________
>>>>>> >> >Snort-users mailing list
>>>>>> >> >Snort-users at lists.sourceforge.net
>>>>>> >> >Go to this URL to change user options or unsubscribe:
>>>>>> >> >https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> >> >Snort-users list archive:
>>>>>> >> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>> >> >
>>>>>> >> >Please visit http://blog.snort.org to stay current on all the
>>>>>> latest
>>>>>> >> >Snort news!
>>>>>> >>
>>>>>> >> BASE seems to give the maximum amount of information/reports vs.
>>>>>> ease of
>>>>>> >> install.  SQueRT is awesome, but does require a few extra processes
>>>>>> >> running.  Snorby is "ok"...not very good for reports at least in my
>>>>>> >> experience.  For SQueRT and Snorby, it's pretty crucial that you
>>>>>> have a
>>>>>> >> tuned snort install since you don't have an easy method to delete
>>>>>> entries.
>>>>>> >>
>>>>>> >> James
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> ------------------------------------------------------------------------------
>>>>>> >> EMC VNX: the world's simplest storage, starting under $10K
>>>>>> >> The only unified storage solution that offers unified management
>>>>>> >> Up to 160% more powerful than alternatives and 25% more efficient.
>>>>>> >> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>>>>>> >> _______________________________________________
>>>>>> >> Snort-users mailing list
>>>>>> >> Snort-users at lists.sourceforge.net
>>>>>> >> Go to this URL to change user options or unsubscribe:
>>>>>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> >> Snort-users list archive:
>>>>>> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>> >>
>>>>>> >> Please visit http://blog.snort.org to stay current on all the
>>>>>> latest Snort
>>>>>> >> news!
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> ------------------------------------------------------------------------------
>>>>>> > EMC VNX: the world's simplest storage, starting under $10K
>>>>>> > The only unified storage solution that offers unified management
>>>>>> > Up to 160% more powerful than alternatives and 25% more efficient.
>>>>>> > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>>>>>> > _______________________________________________
>>>>>> > Snort-users mailing list
>>>>>> > Snort-users at lists.sourceforge.net
>>>>>> > Go to this URL to change user options or unsubscribe:
>>>>>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> > Snort-users list archive:
>>>>>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>> >
>>>>>> > Please visit http://blog.snort.org to stay current on all the
>>>>>> latest Snort
>>>>>> > news!
>>>>>> >
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> EMC VNX: the world's simplest storage, starting under $10K
>>>>>> The only unified storage solution that offers unified management
>>>>>> Up to 160% more powerful than alternatives and 25% more efficient.
>>>>>> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>
>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>>> Snort news!
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110823/49ee225a/attachment.html>


More information about the Snort-users mailing list