[Snort-users] Trending

James Lay jlay at ...13475...
Wed Jul 13 22:53:46 EDT 2011



On 7/13/11 6:36 PM, "Paul Halliday" <paul.halliday at ...11827...> wrote:

>On Wed, Jul 13, 2011 at 5:20 PM, Lay, James <james.lay at ...15009...>
>wrote:
>> Hey all!
>>
>>
>>
>> SoŠI¹ve got Snorby installedŠit was a hoot, but it¹s done now.  My goal
>>for
>> the GUI is to easily see trends over timeŠ.try and catch the bad guys
>>that
>> scan 5 ports a day and junk like that.  Is Snorby the best for this or
>>is
>> there something else better out there?  Thanks for any advice.
>>
>
> Like a canned view?
>
>Would you want to be able to create the conditions for the view
>yourself? What criteria would you want to be able to chose from?
>
>How do you see the operation of something like that? What interval is
>good? an hourly summary? Daily? Monthly?
>
>What other 'junk'?
>
>Just looking for ideas.

Howdy Paul,

Yea...I saw Squert out there...I messed with getting sguil here at home
working...it was a monumental task.  Once looking at it I got the
impression that it was a "for the moment" type of front-end.

As for a canned view, it would be nice to see things exactly like
that...an hourly/daily/weekly/last seven days/monthly...top
5/10/20/50/100...these could be "let me see the top five hits to port 25
over the last seven days", or "let me see all the hits with SID ##### over
the last month".  We should be able to choose just about all types of
criteria..source/dest ports, source/dest IP, SID, even rule text (been
seeing the CIARMY sids now and then...would be neat to be able to see all
hits that have the word "Reputation" in them for example.  I have to
create monthly reports manually right now with the .fast log, snortalog,
and Excel (8-|).

In my mind, conditions for a view could be "show me all alerts from any
source for the last day, but show me just the sources that have hit five
or below times".  This would show me the sneakers...think a slow motion
brute force.  Hard to miss someone trying to brute force at 500 times an
hour, more difficult for something like the above.

Something that's also requested of me is breakdown of source over a month
period...usually by country...an "out of all the attacks we had this
month, the top ten attacking countries were...".  Seeing this laid out
over each quarter is really good to be able to show where we may need to
concentrate on firewalling netblocks.  One challenge I haven't overcome is
to go a layer deeper and graph out top ten attacking countries with
attacked ports as well.

The ability to delete things is crucial to me, and this is an area where
Snorby lags.  I make a point to keep my eye on executables and x86
shellcode hits even when legit (i.e. Windows update, drivers, etc...).
Just today a large batch was downloaded.  Now, I KNOW what these are, so I
want to just delete them...but can't, with Snorby they are now there.  I
understand the reasoning behind it, but eh....it's a hassle.  The 30
minute Dashboard update with Snorby is slow as well.  I wish there was an
option for me to change the interval.

Multi-layered bar graphs and pie charts are what I see requested most.  I
think executives want the facts to see the trends so they can predict
where to go next.

So there we have it....hope that helps :)

James






More information about the Snort-users mailing list