[Snort-users] BASE and Snorby running together

Dustin Webber dustin.webber at ...11827...
Wed Feb 22 16:07:50 EST 2012


Shawn,

Can you elaborate on what you mean by "Unique IP Links" and "Unique
Alerts"?

Do you mean unique signatures/rules or does BASE do event correlation now
based on event attributes? If not.. then this would be the signature
listing in snorby.. but either way it's pretty pointless.

Unique IP Links. not sure what this means.. but if you mean unique IP's
snorby generates metrics for unique src/dst every 30 mins.. every day.
Click the pie chart to drill into the events for that address.

Either way, can you explain to me why this information is so critical
someone would use Snorby in conjunction with BASE.

- Dustin

Dustin W. Webber
Dustin.Webber at ...11827...
(913) 375-2798


On Wed, Feb 22, 2012 at 3:55 PM, Jefferson, Shawn <
Shawn.Jefferson at ...14448...> wrote:

>  On the demo, I noticed that Snorby didn’t seem to have the same
> functionality as the “Unique IP Links”, and “Unique Alerts” that BASE has?
> Maybe I just missed how to view alerts in that way?
>
>
>
>
>  ------------------------------
>
> *From:* Dustin Webber [mailto:dustin.webber at ...11827...]
> *Sent:* February 22, 2012 12:41 PM
> *To:* Jan Seidl
> *Cc:* security-onion at ...14071...; snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] BASE and Snorby running together
>
>
>
> Just curious.. What are the features that snorby does not have? Last time
> I checked snorby shadowed BASE in every area and then some.
>
> - Dustin
>
>
> On Feb 22, 2012, at 3:06 PM, Jan Seidl <lists at ...15522...> wrote:
>
>  Shane, have you tried sguil with squert?
>
> On Feb 22, 2012 3:04 PM, "Castle, Shane" <scastle at ...14946...>
> wrote:
>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
>
>  _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120222/59757fcc/attachment.html>


More information about the Snort-users mailing list