[Snort-users] php, base issue

Rick Chisholm chavez243 at ...11827...
Fri May 18 13:35:53 EDT 2012


I know exactly what you mean Ron - long time BASE user as well, but I could
not keep fighting with it and I don't have the time to pick it up myself
and make it work. I agreed BASE seemed to present more info to the analyst,
I'm still getting use to Snorby. I'll admit it was a bitch getting Snorby
to work in my environment, but I'm content now that it is up. I think the
Snorby dev is also very open to suggestions for improvement, so if you want
a feature, just ask.

On Fri, May 18, 2012 at 1:30 PM, Ron Sinclair <unixfool at ...11827...> wrote:

> I hear such statements all the time.  Would be nice if someone took BASE
> and revamped (but not whole-hog) it.
>
> I've been using BASE for almost 10 years, even after using both Sguil and
> Snorby.  There's something about BASE that Snorby just can't match...just
> my opinion.  I do check Snorby from time to time to assess any new
> features.  Last I checked, it still had a long way to go, so I kept using
> BASE.  Sguil...I don't know, since I never force myself to spend enough
> time to better utilize it.  I usually just get frustrated and wipe it out.
>
> BASE seems less maintenance intensive than either Sguil and Snorby.  I
> don't want to have to learn Ruby/Rails to use Snorby.  I didn't really have
> to understand all that much about PHP to begin using BASE, and I already
> had a good knowledge of MySQL, Snort, and Apache (and a multitude of other
> things).  I'll be using BASE for another 10 years, or until something else
> (that isn't Sguil or Snorby) is released. If that doesn't happen, I'll go
> straight to the raw logs and begin using correlation scripts and tools.
>
>
> On Fri, May 18, 2012 at 1:06 PM, Rick Chisholm <chavez243 at ...11827...>wrote:
>
>> Hi Dennis:
>>
>> BASE is getting pretty long in the tooth, does not appear to be actively
>> developed and as PHP advances, is slowly breaking. It is advisable to
>> switch to something like Snorby, Sguil etc.
>>
>>  On Fri, May 18, 2012 at 12:37 PM, Dennis Circolone <
>> djcircolone at ...11827...> wrote:
>>
>>>  Hello,
>>> I have configured snort-2.9.2.2 on an opensuse 12.1 box, everything is
>>> working great except for the portscan traffic stays at 0% after an NMAP
>>> test and when I select source ports link or dest ports link I recieve an
>>> error.Does anyone know how I can resolve this issue?
>>>
>>>
>>>  Basic Analysis and Security Engine (BASE)
>>>
>>>     - Today's alerts: unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
>>> listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1> Source
>>> IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> Destination
>>> IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>  -
>>> Last 24 Hours alerts: unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
>>> listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1> Source
>>> IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> Destination
>>> IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>  -
>>> Last 72 Hours alerts: unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
>>> listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1> Source
>>> IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> Destination
>>> IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>  -
>>> Most recent 15 Alerts: any protocol<http://10.2.7.170/base/base_qry_main.php?new=1&caller=last_any&num_result_rows=-1&submit=Last%20Any>
>>> TCP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=TCP&caller=last_tcp&num_result_rows=-1&submit=Last%20TCP>
>>> UDP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=UDP&caller=last_udp&num_result_rows=-1&submit=Last%20UDP>
>>> ICMP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=ICMP&caller=last_icmp&num_result_rows=-1&submit=Last%20ICMP> -
>>> Last Source Ports: any protocol<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=-1&sort_order=last_d>
>>> TCP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=6&sort_order=last_d>
>>> UDP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=17&sort_order=last_d> -
>>> Last Destination Ports: any protocol<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=-1&sort_order=last_d>
>>> TCP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=6&sort_order=last_d>
>>> UDP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=17&sort_order=last_d> -
>>> Most Frequent Source Ports: any protocol<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=-1&sort_order=occur_d>
>>> TCP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=6&sort_order=occur_d>
>>> UDP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=17&sort_order=occur_d> -
>>> Most Frequent Destination Ports: any protocol<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=-1&sort_order=occur_d>
>>> TCP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=6&sort_order=occur_d>
>>> UDP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=17&sort_order=occur_d> -
>>> Most frequent 15 Addresses: Source<http://10.2.7.170/base/base_stat_uaddr.php?caller=most_frequent&addr_type=1&sort_order=occur_d>
>>> Destination<http://10.2.7.170/base/base_stat_uaddr.php?caller=most_frequent&addr_type=2&sort_order=occur_d> -
>>> Most recent 15 Unique Alerts<http://10.2.7.170/base/base_stat_alerts.php?caller=last_alerts&sort_order=last_d> -
>>> Most frequent 5 Unique Alerts<http://10.2.7.170/base/base_stat_alerts.php?caller=most_frequent&sort_order=occur_d>
>>>  *Queried on *: Fri May 18, 2012 16:34:43
>>> *Database:* snort at ...274...    (*Schema Version:* 107)
>>> *Time Window:* [2012-05-18 11:05:19] - [2012-05-18 11:06:55]
>>>  *Search <http://10.2.7.170/base/base_qry_main.php?new=1>*
>>> *Graph Alert Data <http://10.2.7.170/base/base_graph_main.php>*
>>> Graph Alert Detection Time <http://10.2.7.170/base/base_stat_time.php>
>>>
>>> ------------------------------
>>>   *Sensors/Total:* 1 <http://10.2.7.170/base/base_stat_sensor.php> / 2
>>> *Unique Alerts:* 1 <http://10.2.7.170/base/base_stat_alerts.php>
>>> *Categories: *1<http://10.2.7.170/base/base_stat_class.php?sort_order=class_a>
>>> *Total Number of Alerts:* 48<http://10.2.7.170/base/base_qry_main.php?&num_result_rows=-1&submit=Query+DB&current_view=-1>
>>>
>>>    - Src IP addrs: 13<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1>
>>>    - Dest. IP addrs: 1<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2>
>>>    - Unique IP links 13 <http://10.2.7.170/base/base_stat_iplink.php>
>>>    -
>>>
>>>    Source Ports: 2<http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=-1>
>>>    -
>>>       - TCP ( 0<http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=6>)  UDP
>>>       ( 2<http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=17>
>>>       )
>>>    - Dest Ports: 2<http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=-1>
>>>    -
>>>       - TCP ( 0<http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=6>)  UDP
>>>       ( 2<http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=17>
>>>       )
>>>
>>> *Traffic Profile by Protocol*  TCP (0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=TCP&num_result_rows=-1&sort_order=time_d&submit=Query+DB>
>>>    UDP (100%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=UDP&num_result_rows=-1&sort_order=time_d&submit=Query+DB>
>>>      ICMP (0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=ICMP&num_result_rows=-1&sort_order=time_d&submit=Query+DB>
>>>
>>> ------------------------------
>>>   Portscan Traffic (0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=RawIP&num_result_rows=-1&sort_order=time_d&submit=Query+DB>
>>>
>>>
>>>   Basic Analysis and Security Engine (BASE)
>>>   Home <http://10.2.7.170/base/base_main.php>  |   Search<http://10.2.7.170/base/base_qry_main.php?new=1>
>>>
>>>   [ Back <http://10.2.7.170/base/base_main.php?back=1&> ]
>>>
>>> /srv/www/htdocs/base/includes/base_cache.inc.php:556: ERROR:
>>> $number_sensors_array is NOT an array!
>>>
>>>
>>> /srv/www/htdocs/base/includes/base_cache.inc.php:564: ERROR:
>>> $number_sensors_array is either NULL or empty!
>>>
>>>  *Queried on* : Fri May 18, 2012 16:36:23      Meta Criteria *   any *   IP
>>> Criteria *   any *   Layer 4 Criteria *   none * Payload Criteria *
>>> any *
>>>
>>> *No Alerts were found.*
>>>
>>>          <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=port_a>
>>>  Port ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=port_d>
>>>    <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sensor_a>
>>>  Sensor ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sensor_d>
>>>    <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=occur_a>
>>>  Occurrences ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=occur_d>
>>>    <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=alerts_a>
>>> Unique Alerts ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=alerts_d>
>>>    <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sip_a>
>>>  Src. Addr. ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sip_d>
>>>    <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=dip_a>
>>>  Dest. Addr. ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=dip_d>
>>>    <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=first_a>
>>>  First ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=first_d>
>>>    <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=last_a>
>>>  Last ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=last_d>
>>>      ACTION
>>> { action }ADD to AG (by ID)ADD to AG (by Name)Create AG (by Name)Delete
>>> alert(s)Email alert(s) (full)Email alert(s) (summary)Email alert(s)
>>> (csv)Archive alert(s) (copy)Archive alert(s) (move)
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond. Discussions
>>> will include endpoint security, mobile security and the latest in malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>>
>> --
>> Rick Chisholm
>> http://parallel42.ca
>> http://appliedusers.ca
>> =========================
>> "There is no faith which has never yet been broken, except that of a
>> truly faithful dog." - Konrad Lorenz
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>


-- 
Rick Chisholm
http://parallel42.ca
http://appliedusers.ca
=========================
"There is no faith which has never yet been broken, except that of a truly
faithful dog." - Konrad Lorenz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120518/c05320bc/attachment.html>


More information about the Snort-users mailing list