[Snort-users] Distributed Snort

Jeremy Hoel jthoel at ...11827...
Fri May 11 14:33:39 EDT 2012


Side Note - Why do you think sguil requires vnc?  I am running the
client on both windows and linux workstations to a server receiving
alerts from 50 sensors.  And the server is a virtual server in another
state.

Base (like was mentioned) is easy to setup and can grow to the point
that queries become to slow.

Sguil is a series of tools/scipts that can give you much more
information about alerts, if they are all running

Snorby is a Ruby tool, like base, that lets you view alerts and
categorize them.  It's getting some support from other add-on tools as
well (openFPC for example).

And Security Onion, while a great tool, is a distro that you live run
or install, and it installs everything.  So if you already have a
working snort and barnyard install, then what you are really looking
for is a better interface and all three above can work, depending on
how you use the alerts.

On Fri, May 11, 2012 at 6:18 PM, Ian Bowers <iggdawg at ...11827...> wrote:
> I'd like to throw in some support for security onion as well.  It's pretty
> fantastic, and mad easy to set up.  Granted the baseline phase is no
> different from any other Snort deployment, so you still get to get your
> hands dirty if you're like me and you enjoy that sort of thing.
>
> It was easy to install BASE on as well.   just untar into /var/www and
> install a couple packages (php5-adodb or libphp-adodb...  or both...  I dont
> remember) and configure base_conf.php .   and you're up and running.
>
> Eric - I agree there are better tools than BASE for handling events, but I
> view BASE as a direct portal to the database.  There are no background
> daemons that have to collect info or anything, it just says "here's what I
> got".  And sometimes that's I want.  Snorby is good, but it doesn't suit the
> way I handle IDS.  Sguil is very good, but it requires a VNC session
> (although projects like jSguil look promising).  In the case of security
> onion sguil is especially handy since it's your easy-access portal to all
> the packet captures.  But for a quick check of whats going on, BASE rocks.
>  And I can move to a more legit tool to classify and investigate if I feel
> it's worth looking into.
>
>
>
> On Fri, May 11, 2012 at 1:25 PM, Heine Lysemose <lysemose at ...11827...> wrote:
>>
>> Hi
>>
>> I could also recommend SecurityOnion, http://securityonion.blogspot.com,
>>  which has this capability by default.
>> Only thing is that it doesn't have Base but it have Snorby, Squert and
>> Squil instead.
>>
>> Give it a try it only takes a few minutes to setup...
>>
>> /Lysemose
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list