[Snort-users] Distributed Snort
iggdawg at ...11827...
Fri May 11 14:18:33 EDT 2012
I'd like to throw in some support for security onion as well. It's pretty
fantastic, and mad easy to set up. Granted the baseline phase is no
different from any other Snort deployment, so you still get to get your
hands dirty if you're like me and you enjoy that sort of thing.
It was easy to install BASE on as well. just untar into /var/www and
install a couple packages (php5-adodb or libphp-adodb... or both... I
dont remember) and configure base_conf.php . and you're up and running.
Eric - I agree there are better tools than BASE for handling events, but I
view BASE as a direct portal to the database. There are no background
daemons that have to collect info or anything, it just says "here's what I
got". And sometimes that's I want. Snorby is good, but it doesn't suit
the way I handle IDS. Sguil is very good, but it requires a VNC session
(although projects like jSguil look promising). In the case of security
onion sguil is especially handy since it's your easy-access portal to all
the packet captures. But for a quick check of whats going on, BASE rocks.
And I can move to a more legit tool to classify and investigate if I feel
it's worth looking into.
On Fri, May 11, 2012 at 1:25 PM, Heine Lysemose <lysemose at ...11827...> wrote:
> I could also recommend SecurityOnion, http://securityonion.blogspot.com,
> which has this capability by default*.*
> Only thing is that it doesn't have Base but it have Snorby, Squert and
> Squil instead.
> Give it a try it only takes a few minutes to setup...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users