[Snort-users] Distributed Snort

Ian Bowers iggdawg at ...11827...
Fri May 11 16:40:07 EDT 2012


Apologies, you're both 100% right.  While I meant "remote session" I'm
still wrong since you can indeed get sguil running on just about any
platform.

On Fri, May 11, 2012 at 2:37 PM, Doug Burks <doug.burks at ...11827...> wrote:

> Ian,
>
> Thanks for your kind words about Security Onion!
>
> A slight correction.  Sguil doesn't require a VNC session.  You can
> install the Sguil client on just about any platform and point it at
> the server.  We actually recommend running Security Onion in a VM on
> your analyst workstation since this gives you the Sguil client,
> Wireshark, NetworkMiner, and a whole slew of other pcap tools for
> analysis.
>
> Thanks,
> Doug
>
> On Fri, May 11, 2012 at 2:18 PM, Ian Bowers <iggdawg at ...11827...> wrote:
> > I'd like to throw in some support for security onion as well.  It's
> pretty
> > fantastic, and mad easy to set up.  Granted the baseline phase is no
> > different from any other Snort deployment, so you still get to get your
> > hands dirty if you're like me and you enjoy that sort of thing.
> >
> > It was easy to install BASE on as well.   just untar into /var/www and
> > install a couple packages (php5-adodb or libphp-adodb...  or both...  I
> dont
> > remember) and configure base_conf.php .   and you're up and running.
> >
> > Eric - I agree there are better tools than BASE for handling events, but
> I
> > view BASE as a direct portal to the database.  There are no background
> > daemons that have to collect info or anything, it just says "here's what
> I
> > got".  And sometimes that's I want.  Snorby is good, but it doesn't suit
> the
> > way I handle IDS.  Sguil is very good, but it requires a VNC session
> > (although projects like jSguil look promising).  In the case of security
> > onion sguil is especially handy since it's your easy-access portal to all
> > the packet captures.  But for a quick check of whats going on, BASE
> rocks.
> >  And I can move to a more legit tool to classify and investigate if I
> feel
> > it's worth looking into.
> >
> >
> >
> > On Fri, May 11, 2012 at 1:25 PM, Heine Lysemose <lysemose at ...11827...>
> wrote:
> >>
> >> Hi
> >>
> >> I could also recommend SecurityOnion, http://securityonion.blogspot.com
> ,
> >>  which has this capability by default.
> >> Only thing is that it doesn't have Base but it have Snorby, Squert and
> >> Squil instead.
> >>
> >> Give it a try it only takes a few minutes to setup...
> >>
> >> /Lysemose
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
>
>
>
> --
> Doug Burks | http://securityonion.blogspot.com
> Don't miss SANS SEC503 Intrusion Detection In-Depth in
> Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
> http://augusta.issa.org/drupal/SANS-Augusta-2012
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120511/d0678c58/attachment.html>


More information about the Snort-users mailing list