[Snort-users] There appears to be a bug in Base-1.4.5

AllowOverride allowoverride at ...11827...
Tue Oct 9 21:16:42 EDT 2012


free invite, pay later? no thanks... 

On Tue, 2012-10-09 at 19:23 -0400, Dustin Webber wrote:
> Shawn,
> 
> 
> Yes, the things you listed below have been added. I can agree that
> before these features were added (most notably the uniq events) it was
> a little bit of a pain to navigate. 
> 
> 
> In snorby (this is in dev but will be pushed to master this weekend)
> each sensor can be configured independently. So if you don't want to
> cluster openFPC or streamDB you can add a different API url to each
> sensor.
> 
> 
> Good call on locking that box down but in those situations i feel so
> dirty i can't sleep at night. hehe maybe not that extreme but you get
> my point.
> 
> 
> Anyway, thanks for your feedback and I hope you get a chance to try
> Snorby out again in the future. sign up a cloud.snorby.org and i'll
> give you a beta invite so you can test it and help better the
> software.
> 
> 
> - Dustin
> 
> 
> P.S Everyone, Snorby is actively developer - if you want features
> please ask, we are willing to pretty much add anything people request.
> 
> 
> 
> 
> 
> 
> On Oct 9, 2012, at 7:11 PM, "Jefferson, Shawn"
> <Shawn.Jefferson at ...14448...> wrote:
> 
> > Hi Dustin,
> > 
> > I'd like all alerts to be "rolled up" into one line like BASE does.
> >  I'd like to be able to have the "unique IP links" per SID view like
> > BASE has.  I didn't see that last time I looked at snorby, maybe
> > that is there and I missed it?
> > 
> > As far as StreamDB/OpenFPC, can you have both of them at the same
> > time?  The lookup API sounds interesting... I'll have to look into
> > that again.  HIPS is SEP, it's a MSSQL database... (there is a
> > possibility to use Symantec System Center and hook into that.)
> > 
> > No, I'd rather use your product-but it didn't fit my requirements at
> > the time, if it does now, that's great!  As far as vulns in BASE,
> > I'm sure there is, but I have it very locked down... I don't let
> > just any computer connect to it-which in my case is an adequate
> > compensating control (among others.)
> > 
> > 
> > 
> > -----Original Message-----
> > From: Dustin Webber [mailto:dustin.webber at ...11827...] 
> > Sent: Tuesday, October 09, 2012 3:54 PM
> > To: Jefferson, Shawn
> > Cc: Snort-Users Users
> > Subject: Re: [Snort-users] There appears to be a bug in Base-1.4.5
> > 
> > Shawn,
> > 
> > What is your "workflow"? I am curious to hear how snorby can't adapt
> > to it. Also, Snorby supports StreaDB and OpenFPC and with the lookup
> > source api in snorby adding CVE queries would be dead simple.
> > Integration with you HIPS is another story since you didn't name the
> > product you use but I bet that likely is already there as well.
> > 
> > If I understood you correctly you are willing to jump start a dead
> > project (mad vulns exist in the code base still un-patched) then
> > commit to a new actively developer project? I'm not sure I
> > understand the logic in this, can you explain more?
> > 
> > - Dustin
> > 
> > On Oct 9, 2012, at 6:43 PM, "Jefferson, Shawn"
> > <Shawn.Jefferson at ...14448...> wrote:
> > 
> > > Who is officially the "maintainer" of BASE now?  Is BASE 2.x still
> > > being worked on?
> > > 
> > > Personally I like BASE 1.4.5, and have added a few features to my
> > > version of it that improves the analyst experience (IMO, and in my
> > > network).  I've seen the messages about it being dead, and I've
> > > been thinking someone should take it over... (maybe even me,
> > > although I'm not a developer by trade, I can hack around in php...
> > > someone else would be better, but no one seems to be stepping up
> > > to the plate?)  Some support is better than no support I guess?
> > > 
> > > Snorby is probably a better option, but at the moment, the
> > > "workflow" 
> > > in Snorby doesn't match my needs (and the fact I've made
> > > modifications 
> > > to add CVE lookup to patch management, StreamDB and OpenFPC
> > > lookup, 
> > > and also correlation with my HIPS product.)
> > > 
> > > 
> > > -----Original Message-----
> > > From: Castle, Shane [mailto:scastle at ...14946...]
> > > Sent: Tuesday, October 09, 2012 1:23 PM
> > > To: snort-users
> > > Subject: Re: [Snort-users] There appears to be a bug in Base-1.4.5
> > > 
> > > Actually, there are lots of bugs in BASE-1.4.5. And, the answer
> > > seems to be: nobody. You can go to the web site
> > > (http://base.secureideas.net/) and add your bug report to those
> > > already there (Under Support/Bug reporting) but it's not really
> > > going to be seen by anyone useful, and nothing will come of it.
> > > 
> > > Yes, we might as well face it: BASE is dead. It was pretty good
> > > while it lasted, and I used it right up until I took the Security
> > > Onion pledge. Now my primary tool is the Sguil client and I rarely
> > > use Snorby (sorry, Dustin - I just don't like it).
> > > 
> > > (Removed snort-team from CC list - they have zero interest in BASE
> > > and 
> > > this is just noise to them.)
> > > 
> > > --
> > > Shane Castle
> > > Data Security Mgr, Boulder County IT
> > > 
> > > 
> > > ----------------------------------------------------------------------
> > > -------- Don't let slow site performance ruin your business.
> > > Deploy 
> > > New Relic APM Deploy New Relic app performance management and
> > > know 
> > > exactly what is happening inside your Ruby, Python, PHP, Java,
> > > and 
> > > .NET app Try New Relic at no cost today and get our sweet Data
> > > Nerd 
> > > shirt too!
> > > http://p.sf.net/sfu/newrelic-dev2dev
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > 
> > > Please visit http://blog.snort.org to stay current on all the
> > > latest Snort news!
> > 
> 
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list