[Snort-users] There appears to be a bug in Base-1.4.5

Jeremy Hoel jthoel at ...11827...
Tue Oct 9 21:39:15 EDT 2012


Did you even look at what Snorby is or does?  SnorbyCloud is something
new, in testing and requires a server somewhere else.  However Snorby
itself runs locally is free and unless Dustin changes his mind will
always be free..

Take the time read a bit before you criticize what someone else is
doing or has done.

On Tue, Oct 9, 2012 at 7:16 PM, AllowOverride <allowoverride at ...11827...> wrote:
> free invite, pay later? no thanks...
>
> On Tue, 2012-10-09 at 19:23 -0400, Dustin Webber wrote:
>> Shawn,
>>
>>
>> Yes, the things you listed below have been added. I can agree that
>> before these features were added (most notably the uniq events) it was
>> a little bit of a pain to navigate.
>>
>>
>> In snorby (this is in dev but will be pushed to master this weekend)
>> each sensor can be configured independently. So if you don't want to
>> cluster openFPC or streamDB you can add a different API url to each
>> sensor.
>>
>>
>> Good call on locking that box down but in those situations i feel so
>> dirty i can't sleep at night. hehe maybe not that extreme but you get
>> my point.
>>
>>
>> Anyway, thanks for your feedback and I hope you get a chance to try
>> Snorby out again in the future. sign up a cloud.snorby.org and i'll
>> give you a beta invite so you can test it and help better the
>> software.
>>
>>
>> - Dustin
>>
>>
>> P.S Everyone, Snorby is actively developer - if you want features
>> please ask, we are willing to pretty much add anything people request.
>>
>>
>>
>>
>>
>>
>> On Oct 9, 2012, at 7:11 PM, "Jefferson, Shawn"
>> <Shawn.Jefferson at ...14448...> wrote:
>>
>> > Hi Dustin,
>> >
>> > I'd like all alerts to be "rolled up" into one line like BASE does.
>> >  I'd like to be able to have the "unique IP links" per SID view like
>> > BASE has.  I didn't see that last time I looked at snorby, maybe
>> > that is there and I missed it?
>> >
>> > As far as StreamDB/OpenFPC, can you have both of them at the same
>> > time?  The lookup API sounds interesting... I'll have to look into
>> > that again.  HIPS is SEP, it's a MSSQL database... (there is a
>> > possibility to use Symantec System Center and hook into that.)
>> >
>> > No, I'd rather use your product-but it didn't fit my requirements at
>> > the time, if it does now, that's great!  As far as vulns in BASE,
>> > I'm sure there is, but I have it very locked down... I don't let
>> > just any computer connect to it-which in my case is an adequate
>> > compensating control (among others.)
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: Dustin Webber [mailto:dustin.webber at ...11827...]
>> > Sent: Tuesday, October 09, 2012 3:54 PM
>> > To: Jefferson, Shawn
>> > Cc: Snort-Users Users
>> > Subject: Re: [Snort-users] There appears to be a bug in Base-1.4.5
>> >
>> > Shawn,
>> >
>> > What is your "workflow"? I am curious to hear how snorby can't adapt
>> > to it. Also, Snorby supports StreaDB and OpenFPC and with the lookup
>> > source api in snorby adding CVE queries would be dead simple.
>> > Integration with you HIPS is another story since you didn't name the
>> > product you use but I bet that likely is already there as well.
>> >
>> > If I understood you correctly you are willing to jump start a dead
>> > project (mad vulns exist in the code base still un-patched) then
>> > commit to a new actively developer project? I'm not sure I
>> > understand the logic in this, can you explain more?
>> >
>> > - Dustin
>> >
>> > On Oct 9, 2012, at 6:43 PM, "Jefferson, Shawn"
>> > <Shawn.Jefferson at ...14448...> wrote:
>> >
>> > > Who is officially the "maintainer" of BASE now?  Is BASE 2.x still
>> > > being worked on?
>> > >
>> > > Personally I like BASE 1.4.5, and have added a few features to my
>> > > version of it that improves the analyst experience (IMO, and in my
>> > > network).  I've seen the messages about it being dead, and I've
>> > > been thinking someone should take it over... (maybe even me,
>> > > although I'm not a developer by trade, I can hack around in php...
>> > > someone else would be better, but no one seems to be stepping up
>> > > to the plate?)  Some support is better than no support I guess?
>> > >
>> > > Snorby is probably a better option, but at the moment, the
>> > > "workflow"
>> > > in Snorby doesn't match my needs (and the fact I've made
>> > > modifications
>> > > to add CVE lookup to patch management, StreamDB and OpenFPC
>> > > lookup,
>> > > and also correlation with my HIPS product.)
>> > >
>> > >
>> > > -----Original Message-----
>> > > From: Castle, Shane [mailto:scastle at ...14946...]
>> > > Sent: Tuesday, October 09, 2012 1:23 PM
>> > > To: snort-users
>> > > Subject: Re: [Snort-users] There appears to be a bug in Base-1.4.5
>> > >
>> > > Actually, there are lots of bugs in BASE-1.4.5. And, the answer
>> > > seems to be: nobody. You can go to the web site
>> > > (http://base.secureideas.net/) and add your bug report to those
>> > > already there (Under Support/Bug reporting) but it's not really
>> > > going to be seen by anyone useful, and nothing will come of it.
>> > >
>> > > Yes, we might as well face it: BASE is dead. It was pretty good
>> > > while it lasted, and I used it right up until I took the Security
>> > > Onion pledge. Now my primary tool is the Sguil client and I rarely
>> > > use Snorby (sorry, Dustin - I just don't like it).
>> > >
>> > > (Removed snort-team from CC list - they have zero interest in BASE
>> > > and
>> > > this is just noise to them.)
>> > >
>> > > --
>> > > Shane Castle
>> > > Data Security Mgr, Boulder County IT
>> > >
>> > >
>> > > ----------------------------------------------------------------------
>> > > -------- Don't let slow site performance ruin your business.
>> > > Deploy
>> > > New Relic APM Deploy New Relic app performance management and
>> > > know
>> > > exactly what is happening inside your Ruby, Python, PHP, Java,
>> > > and
>> > > .NET app Try New Relic at no cost today and get our sweet Data
>> > > Nerd
>> > > shirt too!
>> > > http://p.sf.net/sfu/newrelic-dev2dev
>> > > _______________________________________________
>> > > Snort-users mailing list
>> > > Snort-users at lists.sourceforge.net
>> > > Go to this URL to change user options or unsubscribe:
>> > > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > > Snort-users list archive:
>> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> > >
>> > > Please visit http://blog.snort.org to stay current on all the
>> > > latest Snort news!
>> >
>>
>> ------------------------------------------------------------------------------
>> Don't let slow site performance ruin your business. Deploy New Relic APM
>> Deploy New Relic app performance management and know exactly
>> what is happening inside your Ruby, Python, PHP, Java, and .NET app
>> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
>> http://p.sf.net/sfu/newrelic-dev2dev
>> _______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list