[Snort-users] Distributed Snort

Doug Burks doug.burks at ...11827...
Fri May 11 14:37:52 EDT 2012


Ian,

Thanks for your kind words about Security Onion!

A slight correction.  Sguil doesn't require a VNC session.  You can
install the Sguil client on just about any platform and point it at
the server.  We actually recommend running Security Onion in a VM on
your analyst workstation since this gives you the Sguil client,
Wireshark, NetworkMiner, and a whole slew of other pcap tools for
analysis.

Thanks,
Doug

On Fri, May 11, 2012 at 2:18 PM, Ian Bowers <iggdawg at ...11827...> wrote:
> I'd like to throw in some support for security onion as well.  It's pretty
> fantastic, and mad easy to set up.  Granted the baseline phase is no
> different from any other Snort deployment, so you still get to get your
> hands dirty if you're like me and you enjoy that sort of thing.
>
> It was easy to install BASE on as well.   just untar into /var/www and
> install a couple packages (php5-adodb or libphp-adodb...  or both...  I dont
> remember) and configure base_conf.php .   and you're up and running.
>
> Eric - I agree there are better tools than BASE for handling events, but I
> view BASE as a direct portal to the database.  There are no background
> daemons that have to collect info or anything, it just says "here's what I
> got".  And sometimes that's I want.  Snorby is good, but it doesn't suit the
> way I handle IDS.  Sguil is very good, but it requires a VNC session
> (although projects like jSguil look promising).  In the case of security
> onion sguil is especially handy since it's your easy-access portal to all
> the packet captures.  But for a quick check of whats going on, BASE rocks.
>  And I can move to a more legit tool to classify and investigate if I feel
> it's worth looking into.
>
>
>
> On Fri, May 11, 2012 at 1:25 PM, Heine Lysemose <lysemose at ...11827...> wrote:
>>
>> Hi
>>
>> I could also recommend SecurityOnion, http://securityonion.blogspot.com,
>>  which has this capability by default.
>> Only thing is that it doesn't have Base but it have Snorby, Squert and
>> Squil instead.
>>
>> Give it a try it only takes a few minutes to setup...
>>
>> /Lysemose
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!



-- 
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012




More information about the Snort-users mailing list