[Snort-users] Distributed Snort
iggdawg at ...11827...
Fri May 11 16:40:07 EDT 2012
Apologies, you're both 100% right. While I meant "remote session" I'm
still wrong since you can indeed get sguil running on just about any
On Fri, May 11, 2012 at 2:37 PM, Doug Burks <doug.burks at ...11827...> wrote:
> Thanks for your kind words about Security Onion!
> A slight correction. Sguil doesn't require a VNC session. You can
> install the Sguil client on just about any platform and point it at
> the server. We actually recommend running Security Onion in a VM on
> your analyst workstation since this gives you the Sguil client,
> Wireshark, NetworkMiner, and a whole slew of other pcap tools for
> On Fri, May 11, 2012 at 2:18 PM, Ian Bowers <iggdawg at ...11827...> wrote:
> > I'd like to throw in some support for security onion as well. It's
> > fantastic, and mad easy to set up. Granted the baseline phase is no
> > different from any other Snort deployment, so you still get to get your
> > hands dirty if you're like me and you enjoy that sort of thing.
> > It was easy to install BASE on as well. just untar into /var/www and
> > install a couple packages (php5-adodb or libphp-adodb... or both... I
> > remember) and configure base_conf.php . and you're up and running.
> > Eric - I agree there are better tools than BASE for handling events, but
> > view BASE as a direct portal to the database. There are no background
> > daemons that have to collect info or anything, it just says "here's what
> > got". And sometimes that's I want. Snorby is good, but it doesn't suit
> > way I handle IDS. Sguil is very good, but it requires a VNC session
> > (although projects like jSguil look promising). In the case of security
> > onion sguil is especially handy since it's your easy-access portal to all
> > the packet captures. But for a quick check of whats going on, BASE
> > And I can move to a more legit tool to classify and investigate if I
> > it's worth looking into.
> > On Fri, May 11, 2012 at 1:25 PM, Heine Lysemose <lysemose at ...11827...>
> >> Hi
> >> I could also recommend SecurityOnion, http://securityonion.blogspot.com
> >> which has this capability by default.
> >> Only thing is that it doesn't have Base but it have Snorby, Squert and
> >> Squil instead.
> >> Give it a try it only takes a few minutes to setup...
> >> /Lysemose
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > Please visit http://blog.snort.org to stay current on all the latest
> > news!
> Doug Burks | http://securityonion.blogspot.com
> Don't miss SANS SEC503 Intrusion Detection In-Depth in
> Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users