[Snort-users] php, base issue

Greg Williams alphawebfx at ...11827...
Fri May 18 13:56:55 EDT 2012


I tried it and was a little disappointed in how slow it was running for me.
 I only gave it about 15 minutes, but I was definitely losing more packets
than my custom install.  Maybe it's better now. ~400-500 MBps sustained.

On Fri, May 18, 2012 at 11:53 AM, Rick Chisholm <chavez243 at ...11827...> wrote:

> FWIW - you can always take a look at Security Onion - it has a bunch of
> Snort front-ends you can play with.
>
> First we had ACID and it went ker-splat, then BASE, which is dying on the
> vine. Not sure what the next move is, all I know is that I need a
> functional front-end and for right now that's Snorby.
>
>
> On Fri, May 18, 2012 at 1:46 PM, Greg Williams <alphawebfx at ...11827...>wrote:
>
>> Well said! I 100% agree. Even though I have alerts forwarding via syslog
>> to other destinations like Splunk, there is just something about BASE that
>> trumps everything else.  I've tried many other apps as well including
>> Snorby and Sguil.
>>
>>
>>
>> On May 18, 2012, at 11:36 AM, Ron Sinclair <unixfool at ...11827...> wrote:
>>
>> I hear such statements all the time.  Would be nice if someone took BASE
>> and revamped (but not whole-hog) it.
>>
>> I've been using BASE for almost 10 years, even after using both Sguil and
>> Snorby.  There's something about BASE that Snorby just can't match...just
>> my opinion.  I do check Snorby from time to time to assess any new
>> features.  Last I checked, it still had a long way to go, so I kept using
>> BASE.  Sguil...I don't know, since I never force myself to spend enough
>> time to better utilize it.  I usually just get frustrated and wipe it out.
>>
>> BASE seems less maintenance intensive than either Sguil and Snorby.  I
>> don't want to have to learn Ruby/Rails to use Snorby.  I didn't really have
>> to understand all that much about PHP to begin using BASE, and I already
>> had a good knowledge of MySQL, Snort, and Apache (and a multitude of other
>> things).  I'll be using BASE for another 10 years, or until something else
>> (that isn't Sguil or Snorby) is released. If that doesn't happen, I'll go
>> straight to the raw logs and begin using correlation scripts and tools.
>>
>> On Fri, May 18, 2012 at 1:06 PM, Rick Chisholm <chavez243 at ...11827...>wrote:
>>
>>> Hi Dennis:
>>>
>>> BASE is getting pretty long in the tooth, does not appear to be actively
>>> developed and as PHP advances, is slowly breaking. It is advisable to
>>> switch to something like Snorby, Sguil etc.
>>>
>>>  On Fri, May 18, 2012 at 12:37 PM, Dennis Circolone <
>>> djcircolone at ...11827...> wrote:
>>>
>>>>  Hello,
>>>> I have configured snort-2.9.2.2 on an opensuse 12.1 box, everything is
>>>> working great except for the portscan traffic stays at 0% after an NMAP
>>>> test and when I select source ports link or dest ports link I recieve an
>>>> error.Does anyone know how I can resolve this issue?
>>>>
>>>>
>>>>  Basic Analysis and Security Engine (BASE)
>>>>
>>>>     - Today's alerts: unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
>>>> listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1> Source
>>>> IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> Destination
>>>> IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>  -
>>>> Last 24 Hours alerts: unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
>>>> listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1> Source
>>>> IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> Destination
>>>> IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>  -
>>>> Last 72 Hours alerts: unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
>>>> listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1> Source
>>>> IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> Destination
>>>> IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>  -
>>>> Most recent 15 Alerts: any protocol<http://10.2.7.170/base/base_qry_main.php?new=1&caller=last_any&num_result_rows=-1&submit=Last%20Any>
>>>> TCP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=TCP&caller=last_tcp&num_result_rows=-1&submit=Last%20TCP>
>>>> UDP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=UDP&caller=last_udp&num_result_rows=-1&submit=Last%20UDP>
>>>> ICMP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=ICMP&caller=last_icmp&num_result_rows=-1&submit=Last%20ICMP> -
>>>> Last Source Ports: any protocol<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=-1&sort_order=last_d>
>>>> TCP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=6&sort_order=last_d>
>>>> UDP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=17&sort_order=last_d> -
>>>> Last Destination Ports: any protocol<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=-1&sort_order=last_d>
>>>> TCP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=6&sort_order=last_d>
>>>> UDP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=17&sort_order=last_d> -
>>>> Most Frequent Source Ports: any protocol<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=-1&sort_order=occur_d>
>>>> TCP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=6&sort_order=occur_d>
>>>> UDP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=17&sort_order=occur_d> -
>>>> Most Frequent Destination Ports: any protocol<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=-1&sort_order=occur_d>
>>>> TCP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=6&sort_order=occur_d>
>>>> UDP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=17&sort_order=occur_d> -
>>>> Most frequent 15 Addresses: Source<http://10.2.7.170/base/base_stat_uaddr.php?caller=most_frequent&addr_type=1&sort_order=occur_d>
>>>> Destination<http://10.2.7.170/base/base_stat_uaddr.php?caller=most_frequent&addr_type=2&sort_order=occur_d> -
>>>> Most recent 15 Unique Alerts<http://10.2.7.170/base/base_stat_alerts.php?caller=last_alerts&sort_order=last_d> -
>>>> Most frequent 5 Unique Alerts<http://10.2.7.170/base/base_stat_alerts.php?caller=most_frequent&sort_order=occur_d>
>>>>  *Queried on *: Fri May 18, 2012 16:34:43
>>>> *Database:* snort at ...274...    (*Schema Version:* 107)
>>>> *Time Window:* [2012-05-18 11:05:19] - [2012-05-18 11:06:55]
>>>>  *Search <http://10.2.7.170/base/base_qry_main.php?new=1>*
>>>> *Graph Alert Data <http://10.2.7.170/base/base_graph_main.php>*
>>>> Graph Alert Detection Time <http://10.2.7.170/base/base_stat_time.php>
>>>>
>>>> ------------------------------
>>>>   *Sensors/Total:* 1 <http://10.2.7.170/base/base_stat_sensor.php> / 2
>>>> *Unique Alerts:* 1 <http://10.2.7.170/base/base_stat_alerts.php>
>>>> *Categories: *1<http://10.2.7.170/base/base_stat_class.php?sort_order=class_a>
>>>> *Total Number of Alerts:* 48<http://10.2.7.170/base/base_qry_main.php?&num_result_rows=-1&submit=Query+DB&current_view=-1>
>>>>
>>>>    - Src IP addrs: 13<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1>
>>>>    - Dest. IP addrs: 1<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2>
>>>>    - Unique IP links 13 <http://10.2.7.170/base/base_stat_iplink.php>
>>>>    -
>>>>
>>>>    Source Ports: 2<http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=-1>
>>>>    -
>>>>       - TCP ( 0<http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=6>)  UDP
>>>>       ( 2<http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=17>
>>>>       )
>>>>    - Dest Ports: 2<http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=-1>
>>>>    -
>>>>       - TCP ( 0<http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=6>)  UDP
>>>>       ( 2<http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=17>
>>>>       )
>>>>
>>>> *Traffic Profile by Protocol*  TCP (0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=TCP&num_result_rows=-1&sort_order=time_d&submit=Query+DB>
>>>>    UDP (100%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=UDP&num_result_rows=-1&sort_order=time_d&submit=Query+DB>
>>>>      ICMP (0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=ICMP&num_result_rows=-1&sort_order=time_d&submit=Query+DB>
>>>>
>>>> ------------------------------
>>>>   Portscan Traffic (0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=RawIP&num_result_rows=-1&sort_order=time_d&submit=Query+DB>
>>>>
>>>>
>>>>   Basic Analysis and Security Engine (BASE)
>>>>   Home <http://10.2.7.170/base/base_main.php>  |   Search<http://10.2.7.170/base/base_qry_main.php?new=1>
>>>>
>>>>   [ Back <http://10.2.7.170/base/base_main.php?back=1&> ]
>>>>
>>>> /srv/www/htdocs/base/includes/base_cache.inc.php:556: ERROR:
>>>> $number_sensors_array is NOT an array!
>>>>
>>>>
>>>> /srv/www/htdocs/base/includes/base_cache.inc.php:564: ERROR:
>>>> $number_sensors_array is either NULL or empty!
>>>>
>>>>  *Queried on* : Fri May 18, 2012 16:36:23      Meta Criteria *   any *
>>>>    IP Criteria *   any *   Layer 4 Criteria *   none * Payload Criteria
>>>> *   any *
>>>>
>>>> *No Alerts were found.*
>>>>
>>>>          <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=port_a>
>>>>  Port ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=port_d>
>>>>    <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sensor_a>
>>>>  Sensor ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sensor_d>
>>>>    <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=occur_a>
>>>>  Occurrences ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=occur_d>
>>>>    <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=alerts_a>
>>>> Unique Alerts ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=alerts_d>
>>>>    <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sip_a>
>>>>  Src. Addr. ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sip_d>
>>>>    <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=dip_a>
>>>>  Dest. Addr. ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=dip_d>
>>>>    <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=first_a>
>>>>  First ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=first_d>
>>>>    <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=last_a>
>>>>  Last ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=last_d>
>>>>      ACTION
>>>> { action }ADD to AG (by ID)ADD to AG (by Name)Create AG (by Name)Delete
>>>> alert(s)Email alert(s) (full)Email alert(s) (summary)Email alert(s)
>>>> (csv)Archive alert(s) (copy)Archive alert(s) (move)
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Live Security Virtual Conference
>>>> Exclusive live event will cover all the ways today's security and
>>>> threat landscape has changed and how IT managers can respond.
>>>> Discussions
>>>> will include endpoint security, mobile security and the latest in
>>>> malware
>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>>
>>>
>>> --
>>> Rick Chisholm
>>> http://parallel42.ca
>>> http://appliedusers.ca
>>> =========================
>>> "There is no faith which has never yet been broken, except that of a
>>> truly faithful dog." - Konrad Lorenz
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond. Discussions
>>> will include endpoint security, mobile security and the latest in malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>
>
> --
> Rick Chisholm
> http://parallel42.ca
> http://appliedusers.ca
> =========================
> "There is no faith which has never yet been broken, except that of a truly
> faithful dog." - Konrad Lorenz
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120518/7e14e432/attachment.html>


More information about the Snort-users mailing list