[Snort-users] BASE and Snorby running together

Castle, Shane scastle at ...14946...
Wed Feb 22 17:03:19 EST 2012

BASE useta have some functions that worked better before the coders decided they needed to protect against SQL/XSS injection. Now I can't enter SQL wildcard expansions ("LIKE %stuff%") in my queries. The search and restricting the results to "unique alerts" (a misnomer but admittedly probably the best wording) capabilities are big shortcomings of Snorby. The ability to do multiple drill-downs based on IP address, the requirement to drill down to the IP address itself before name resolution occurs, and especially the ability to construct detailed searches that can then be used to delete the found alerts (invaluable for tuning and getting rid of multiple FPs) is foremost.

And as mentioned, I am really trying to like it but I'm just not feeling the love :( . Not that I'm getting it much from BASE anymore either.

I have my current BASE screen set up to report on the last 100 "unique alerts", which gets me most of the day's unique listings, and I can quickly drill down to who/what are the most likely suspects. Snorby's display of each and every alert is just a waste of my time paging through screen after screen of junk alerts (at my current level of tuning - really need to get the Snort config'd right).

As I mentioned in my first post, this is using Security Onion, so squert and Sguil are there too. I just don't want to give up all the work and learning that I put into BASE over the years.

And why can't I get 24-hour clock timestamps in Snorby? What's up with that? Who uses AM and PM for that anymore? Since SO wants the entire system to use UTC it makes it tiresome to do mod(12) arithmetic and then offset 7 hours. Yes I know it's a nit but it's a really annoying one.

Shane Castle
Data Security Mgr, Boulder County IT

More information about the Snort-users mailing list