[Snort-users] Distributed Snort
jthoel at ...11827...
Fri May 11 14:33:39 EDT 2012
Side Note - Why do you think sguil requires vnc? I am running the
client on both windows and linux workstations to a server receiving
alerts from 50 sensors. And the server is a virtual server in another
Base (like was mentioned) is easy to setup and can grow to the point
that queries become to slow.
Sguil is a series of tools/scipts that can give you much more
information about alerts, if they are all running
Snorby is a Ruby tool, like base, that lets you view alerts and
categorize them. It's getting some support from other add-on tools as
well (openFPC for example).
And Security Onion, while a great tool, is a distro that you live run
or install, and it installs everything. So if you already have a
working snort and barnyard install, then what you are really looking
for is a better interface and all three above can work, depending on
how you use the alerts.
On Fri, May 11, 2012 at 6:18 PM, Ian Bowers <iggdawg at ...11827...> wrote:
> I'd like to throw in some support for security onion as well. It's pretty
> fantastic, and mad easy to set up. Granted the baseline phase is no
> different from any other Snort deployment, so you still get to get your
> hands dirty if you're like me and you enjoy that sort of thing.
> It was easy to install BASE on as well. just untar into /var/www and
> install a couple packages (php5-adodb or libphp-adodb... or both... I dont
> remember) and configure base_conf.php . and you're up and running.
> Eric - I agree there are better tools than BASE for handling events, but I
> view BASE as a direct portal to the database. There are no background
> daemons that have to collect info or anything, it just says "here's what I
> got". And sometimes that's I want. Snorby is good, but it doesn't suit the
> way I handle IDS. Sguil is very good, but it requires a VNC session
> (although projects like jSguil look promising). In the case of security
> onion sguil is especially handy since it's your easy-access portal to all
> the packet captures. But for a quick check of whats going on, BASE rocks.
> And I can move to a more legit tool to classify and investigate if I feel
> it's worth looking into.
> On Fri, May 11, 2012 at 1:25 PM, Heine Lysemose <lysemose at ...11827...> wrote:
>> I could also recommend SecurityOnion, http://securityonion.blogspot.com,
>> which has this capability by default.
>> Only thing is that it doesn't have Base but it have Snorby, Squert and
>> Squil instead.
>> Give it a try it only takes a few minutes to setup...
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort
More information about the Snort-users