[Snort-users] BASE and Snorby running together

Jason Wallace jason.r.wallace at ...11827...
Wed Feb 22 16:27:29 EST 2012


I'm really trying to like Snorby, but there are a few things that keep
driving me a way. I haven't used BASE in a while (I'm a recent Sguil
convert), but the things I remember...

1. The search functionality in BASE was far more flexible then in
Snorby. There is no OR in the Snorby search page. When I see an alert
one of the first things I want to know is, what other alerts did the
source or destination produce. In Snorby you can't search for
'src=10.1.1.1 OR dst=10.1.1.1 in the last X amount of time'.

What I would really like to see is a button (like the "copy to
clipboard" one) that will bring up all of the unclassified events with
that IP address as either the src or dst. One click, see them all.

2. Personal annoyance. On the Ascii tab, it displays spaces as dots.
To me any ways, this makes it a little confusing to read.

3. (not in BASE but I'll throw this in for free) If you expand an
alert, and then hotkey-classify it, the UI sends you back to the main
events page. It would be faster, for an analyst, if the UI just
brought up the the next alert, already expanded, in the list. an
option to display either the hex or ascii tab would be great too.

4. Unique IP links. In BASE you could easily get a summary of all the
unique IP to IP events. This made it easy to spot loud offenders.
ex.

src | dst | count

10.1.1.1 -> 1.1.1.1   2
2.2.2.2 -> 10.1.1.2   1
2.2.2.2 -> 10.1.1.3   1

5. Canned info on the main page. Most frequent src or dst, top 5
alerts (great for initial tuning), etc

6. Clickable links to the rule references.

7. Delete alerts.

Just a few off the top of my head.

thx,
wally

On Wed, Feb 22, 2012 at 3:40 PM, Dustin Webber <dustin.webber at ...11827...> wrote:
> Just curious.. What are the features that snorby does not have? Last time I
> checked snorby shadowed BASE in every area and then some.
>
> - Dustin
>
> On Feb 22, 2012, at 3:06 PM, Jan Seidl <lists at ...15522...> wrote:
>
> Shane, have you tried sguil with squert?
>
> On Feb 22, 2012 3:04 PM, "Castle, Shane" <scastle at ...14946...> wrote:
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list