[Snort-users] Snorby opinions

Martin Holste mcholste at ...11827...
Mon Jun 6 20:17:25 EDT 2011


Good discussion!  I think it's good to reevaluate the status quo every
so often, so taking a look at one's analysis console to see if it can
be improved upon is worthwhile.  Shawn, since you've modified BASE to
fit your environment, you'll see less bang-for-buck in upgrading to
Snorby.  Most BASE users do not have single-click access to
pcap/streams, and that alone makes upgrading worthwhile.

However, Dustin's points are correct--tagging, workflow,
reporting--these kinds of advanced features are critical in a lot of
medium to large environments, and are surprisingly helpful even in
small environments.  Either way, having multiple viable options for
viewing your alerts is important for the community to ensure
quality--I like to see the bar continue to be pushed upward.

On Mon, Jun 6, 2011 at 12:38 PM, Dustin Webber <dustin.webber at ...11827...> wrote:
> All,
> I would like to clarify that I was talking about the languages -- not
> applications written in them. If you're a good programmer you could build
> amazing applications with anything. Just consider all languages before you
> start a new project. If that language works best for the job... then use it.
> (except php.. never use that.)
> Honestly.. we should all be writing in TCL anyways...
> Dustin W. Webber
> Dustin.Webber at ...11827...
> On Mon, Jun 6, 2011 at 12:30 PM, Dustin Webber <dustin.webber at ...11827...>
> wrote:
>>
>> Snorby is not about being `flashy` - It's about proper interface design
>> and workflow. The ability to produce metrics and quickly navigate
>> (hotkeys), classify and investigate are a few of snorbys strengths.
>> Snorby will be moving to a custom collection/processing system soon using
>> my unified2 lib (https://github.com/mephux/unified2) and the snorby-collect
>> cl tool (https://github.com/Snorby/snorby-collect). This will open a few
>> doors for snorby users likes event preprocessing/categorization before
>> insert/storage using a simple and clean DSL (Like a unified2 ORM -
>> supporting all modern datastores: key/value, mongodb etc..). You will have
>> the ability to design the datastore to fit your needs and snorby will just
>> sit on top with a translation layer.
>> The security community seems to have a personal vendetta with design and
>> new technology. I'm not sure I will ever fully understand why but in my eyes
>> if we don't start moving forward and accepting UX theory
>> and incorporating new technologies (yes, lets stop using perl and php
>> please) we will never evolve. </rant>
>> Sometimes pretty does not mean gimmick, we just cared about it.
>> Dustin W. Webber
>> Dustin.Webber at ...11827...
>>
>>
>> On Mon, Jun 6, 2011 at 12:06 PM, Jefferson, Shawn
>> <Shawn.Jefferson at ...14448...> wrote:
>>>
>>> I'm one of those BASE people still... It's difficult to move off of it
>>> now, since I've modified it to link with my patch management and AV/HIPS
>>> products (as well as StreamDB and OpenFPC).
>>>
>>> What does Snorby give you that BASE doesn't (besides a much flashier
>>> GUI?)
>>>
>>> -----Original Message-----
>>> From: Martin Holste [mailto:mcholste at ...11827...]
>>> Sent: Sunday, June 05, 2011 9:58 AM
>>> To: Lay, James
>>> Cc: snort-users at lists.sourceforge.net
>>> Subject: Re: [Snort-users] Snorby opinions
>>>
>>> Snorby is great--anyone still messing around with BASE is missing out!
>>>
>>> Also, if you want a ridiculously fast packet capture tool to integrate
>>> with Snorby, you can use StreamDB (streamdb.googlecode.com) as a
>>> drop-in replacement for OpenFPC (Snorby hooks into OpenFPC under
>>> "Packet Capture Options").  Your packets (streams in this case) will
>>> load instantaneously (versus a minute or more with OpenFPC on large
>>> pcaps).
>>>
>>> On Fri, Jun 3, 2011 at 10:02 AM, Lay, James <james.lay at ...15009...>
>>> wrote:
>>> > Hey all!
>>> >
>>> >
>>> >
>>> > Topic says it..anyone run Snorby here?  Would love to get some
>>> > opinions.I'm
>>> > needing something more.."pretty" (though personally I think tailing
>>> > .fast
>>> > logs in a console is pretty).  Thanks for any input.
>>> >
>>> >
>>> >
>>> > James
>>> >
>>> >
>>> > ------------------------------------------------------------------------------
>>> > Simplify data backup and recovery for your virtual environment with
>>> > vRanger.
>>> > Installation's a snap, and flexible recovery options mean your data is
>>> > safe,
>>> > secure and there when you need it. Discover what all the cheering's
>>> > about.
>>> > Get your free trial download today.
>>> > http://p.sf.net/sfu/quest-dev2dev2
>>> > _______________________________________________
>>> > Snort-users mailing list
>>> > Snort-users at lists.sourceforge.net
>>> > Go to this URL to change user options or unsubscribe:
>>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>>> > Snort-users list archive:
>>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> >
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Simplify data backup and recovery for your virtual environment with
>>> vRanger.
>>> Installation's a snap, and flexible recovery options mean your data is
>>> safe,
>>> secure and there when you need it. Discover what all the cheering's
>>> about.
>>> Get your free trial download today.
>>> http://p.sf.net/sfu/quest-dev2dev2
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Simplify data backup and recovery for your virtual environment with
>>> vRanger.
>>> Installation's a snap, and flexible recovery options mean your data is
>>> safe,
>>> secure and there when you need it. Discover what all the cheering's
>>> about.
>>> Get your free trial download today.
>>> http://p.sf.net/sfu/quest-dev2dev2
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
> ------------------------------------------------------------------------------
> Simplify data backup and recovery for your virtual environment with vRanger.
> Installation's a snap, and flexible recovery options mean your data is safe,
> secure and there when you need it. Discover what all the cheering's about.
> Get your free trial download today.
> http://p.sf.net/sfu/quest-dev2dev2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list