[Snort-users] BASE and Snorby running together
scastle at ...14946...
Wed Feb 22 18:49:43 EST 2012
I'm giving up on the idea of running BASE on SO, now. I guess I was just wistful for the old days.
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH
From: Dustin Webber [mailto:dustin.webber at ...11827...]
Sent: Wednesday, February 22, 2012 15:58
To: Castle, Shane
Cc: Jason Wallace; security-onion at ...14071...; Snort-Users
Subject: Re: [Snort-users] BASE and Snorby running together
RE: Searching -- This is in the works, pretty easy to add but the design/workflow gets a bit more challenging. Most of my time has been spent on Snorby 3.0.0 however, this weekend I'll hack it in.
RE: Timestamps -- Snorby existed before Security Onion. i.e. It was not built just to be included. Why would SO enforcing UTC mean Snorby should conform? I do agree it should be a customizable option. (This is pretty low on the priority list. SUPER low.. because srsly.. do math)
Just so I fully understand let me go over the facts from your last email.
1. You're not a fan of fixing XSS/SQL inject.
2. You downloaded Security Onion and instead of using Sguil (currently still the best open source IR application) you installed a vulnerable php and setup BASE. Since you have personal problems with Snorby.. I would love to hear why BASE is better then Sguil.. Please, do tell.
On Feb 22, 2012, at 5:03 PM, Castle, Shane wrote:
> BASE useta have some functions that worked better before the coders decided they needed to protect against SQL/XSS injection. Now I can't enter SQL wildcard expansions ("LIKE %stuff%") in my queries. The search and restricting the results to "unique alerts" (a misnomer but admittedly probably the best wording) capabilities are big shortcomings of Snorby. The ability to do multiple drill-downs based on IP address, the requirement to drill down to the IP address itself before name resolution occurs, and especially the ability to construct detailed searches that can then be used to delete the found alerts (invaluable for tuning and getting rid of multiple FPs) is foremost.
> And as mentioned, I am really trying to like it but I'm just not feeling the love :( . Not that I'm getting it much from BASE anymore either.
> I have my current BASE screen set up to report on the last 100 "unique alerts", which gets me most of the day's unique listings, and I can quickly drill down to who/what are the most likely suspects. Snorby's display of each and every alert is just a waste of my time paging through screen after screen of junk alerts (at my current level of tuning - really need to get the Snort config'd right).
> As I mentioned in my first post, this is using Security Onion, so squert and Sguil are there too. I just don't want to give up all the work and learning that I put into BASE over the years.
> And why can't I get 24-hour clock timestamps in Snorby? What's up with that? Who uses AM and PM for that anymore? Since SO wants the entire system to use UTC it makes it tiresome to do mod(12) arithmetic and then offset 7 hours. Yes I know it's a nit but it's a really annoying one.
> Shane Castle
> Data Security Mgr, Boulder County IT
> CISSP GSEC GCIH
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users