[Snort-users] BASE 1.4.x updates?

Jefferson, Shawn Shawn.Jefferson at ...14448...
Fri Feb 18 12:34:55 EST 2011


Hi,

I have hacked in support of StreamDB and OpenFPC into my own BASE 1.4.x (screenshot attached), which simplifies several steps I was going through when analyzing events.  If anyone is interested, let me know, and I can post what I've changed and added (it's not pretty, but it works!)

Is development on BASE 1.4.x now stopped in favor of BASE 2.0?  I've made several mods to the BASE that I'm using and I'd like to see these ideas brought into BASE (2.0 for sure, ideally backported to 1.4.5 if 2.0 is still way off):

1. Support for more links on the base_stat_ipaddr page, specifically, the ability to call a URL with specific parameters (like computer name, etc..)  I'm using this to link to a systems management product that gives more detail on the computer in question.

2. Further on this idea, I have changed base_stat_ipaddr to just show the patch/update information directly from my systems management product-this is a great time saving feature, as you are looking through an event, and wonder if that software is even installed on that asset, or that patch is missing or not.

3. A way to link to a function (that the user would provide) that takes the CVE from the rule/alert as a parameter, and returns TRUE or FALSE.  The function could lookup the CVE in a systems management product (that's what I'm doing), or anything else (Nessus scan results stored in a file or database).  Use this value to highlight those alerts where the attack matches the vulnerability.  (Currently I show these in red to highlight them.) 

-- 
Shawn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: base_streamdb.JPG
Type: image/jpeg
Size: 46098 bytes
Desc: base_streamdb.JPG
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110218/51063a15/attachment.jpe>


More information about the Snort-users mailing list