[Snort-users] There appears to be a bug in Base-1.4.5

Dustin Webber dustin.webber at ...11827...
Wed Oct 10 00:44:20 EDT 2012


Jeremy,

Amen, I starting to lose a lot of respect for this mailing list over the past year until that email. A little-bit regained, Props.

- Dustin

On Oct 9, 2012, at 9:39 PM, Jeremy Hoel <jthoel at ...11827...> wrote:

> Did you even look at what Snorby is or does?  SnorbyCloud is something
> new, in testing and requires a server somewhere else.  However Snorby
> itself runs locally is free and unless Dustin changes his mind will
> always be free..
> 
> Take the time read a bit before you criticize what someone else is
> doing or has done.
> 
> On Tue, Oct 9, 2012 at 7:16 PM, AllowOverride <allowoverride at ...11827...> wrote:
>> free invite, pay later? no thanks...
>> 
>> On Tue, 2012-10-09 at 19:23 -0400, Dustin Webber wrote:
>>> Shawn,
>>> 
>>> 
>>> Yes, the things you listed below have been added. I can agree that
>>> before these features were added (most notably the uniq events) it was
>>> a little bit of a pain to navigate.
>>> 
>>> 
>>> In snorby (this is in dev but will be pushed to master this weekend)
>>> each sensor can be configured independently. So if you don't want to
>>> cluster openFPC or streamDB you can add a different API url to each
>>> sensor.
>>> 
>>> 
>>> Good call on locking that box down but in those situations i feel so
>>> dirty i can't sleep at night. hehe maybe not that extreme but you get
>>> my point.
>>> 
>>> 
>>> Anyway, thanks for your feedback and I hope you get a chance to try
>>> Snorby out again in the future. sign up a cloud.snorby.org and i'll
>>> give you a beta invite so you can test it and help better the
>>> software.
>>> 
>>> 
>>> - Dustin
>>> 
>>> 
>>> P.S Everyone, Snorby is actively developer - if you want features
>>> please ask, we are willing to pretty much add anything people request.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On Oct 9, 2012, at 7:11 PM, "Jefferson, Shawn"
>>> <Shawn.Jefferson at ...14448...> wrote:
>>> 
>>>> Hi Dustin,
>>>> 
>>>> I'd like all alerts to be "rolled up" into one line like BASE does.
>>>> I'd like to be able to have the "unique IP links" per SID view like
>>>> BASE has.  I didn't see that last time I looked at snorby, maybe
>>>> that is there and I missed it?
>>>> 
>>>> As far as StreamDB/OpenFPC, can you have both of them at the same
>>>> time?  The lookup API sounds interesting... I'll have to look into
>>>> that again.  HIPS is SEP, it's a MSSQL database... (there is a
>>>> possibility to use Symantec System Center and hook into that.)
>>>> 
>>>> No, I'd rather use your product-but it didn't fit my requirements at
>>>> the time, if it does now, that's great!  As far as vulns in BASE,
>>>> I'm sure there is, but I have it very locked down... I don't let
>>>> just any computer connect to it-which in my case is an adequate
>>>> compensating control (among others.)
>>>> 
>>>> 
>>>> 
>>>> -----Original Message-----
>>>> From: Dustin Webber [mailto:dustin.webber at ...11827...]
>>>> Sent: Tuesday, October 09, 2012 3:54 PM
>>>> To: Jefferson, Shawn
>>>> Cc: Snort-Users Users
>>>> Subject: Re: [Snort-users] There appears to be a bug in Base-1.4.5
>>>> 
>>>> Shawn,
>>>> 
>>>> What is your "workflow"? I am curious to hear how snorby can't adapt
>>>> to it. Also, Snorby supports StreaDB and OpenFPC and with the lookup
>>>> source api in snorby adding CVE queries would be dead simple.
>>>> Integration with you HIPS is another story since you didn't name the
>>>> product you use but I bet that likely is already there as well.
>>>> 
>>>> If I understood you correctly you are willing to jump start a dead
>>>> project (mad vulns exist in the code base still un-patched) then
>>>> commit to a new actively developer project? I'm not sure I
>>>> understand the logic in this, can you explain more?
>>>> 
>>>> - Dustin
>>>> 
>>>> On Oct 9, 2012, at 6:43 PM, "Jefferson, Shawn"
>>>> <Shawn.Jefferson at ...14448...> wrote:
>>>> 
>>>>> Who is officially the "maintainer" of BASE now?  Is BASE 2.x still
>>>>> being worked on?
>>>>> 
>>>>> Personally I like BASE 1.4.5, and have added a few features to my
>>>>> version of it that improves the analyst experience (IMO, and in my
>>>>> network).  I've seen the messages about it being dead, and I've
>>>>> been thinking someone should take it over... (maybe even me,
>>>>> although I'm not a developer by trade, I can hack around in php...
>>>>> someone else would be better, but no one seems to be stepping up
>>>>> to the plate?)  Some support is better than no support I guess?
>>>>> 
>>>>> Snorby is probably a better option, but at the moment, the
>>>>> "workflow"
>>>>> in Snorby doesn't match my needs (and the fact I've made
>>>>> modifications
>>>>> to add CVE lookup to patch management, StreamDB and OpenFPC
>>>>> lookup,
>>>>> and also correlation with my HIPS product.)
>>>>> 
>>>>> 
>>>>> -----Original Message-----
>>>>> From: Castle, Shane [mailto:scastle at ...14946...]
>>>>> Sent: Tuesday, October 09, 2012 1:23 PM
>>>>> To: snort-users
>>>>> Subject: Re: [Snort-users] There appears to be a bug in Base-1.4.5
>>>>> 
>>>>> Actually, there are lots of bugs in BASE-1.4.5. And, the answer
>>>>> seems to be: nobody. You can go to the web site
>>>>> (http://base.secureideas.net/) and add your bug report to those
>>>>> already there (Under Support/Bug reporting) but it's not really
>>>>> going to be seen by anyone useful, and nothing will come of it.
>>>>> 
>>>>> Yes, we might as well face it: BASE is dead. It was pretty good
>>>>> while it lasted, and I used it right up until I took the Security
>>>>> Onion pledge. Now my primary tool is the Sguil client and I rarely
>>>>> use Snorby (sorry, Dustin - I just don't like it).
>>>>> 
>>>>> (Removed snort-team from CC list - they have zero interest in BASE
>>>>> and
>>>>> this is just noise to them.)
>>>>> 
>>>>> --
>>>>> Shane Castle
>>>>> Data Security Mgr, Boulder County IT
>>>>> 
>>>>> 
>>>>> ----------------------------------------------------------------------
>>>>> -------- Don't let slow site performance ruin your business.
>>>>> Deploy
>>>>> New Relic APM Deploy New Relic app performance management and
>>>>> know
>>>>> exactly what is happening inside your Ruby, Python, PHP, Java,
>>>>> and
>>>>> .NET app Try New Relic at no cost today and get our sweet Data
>>>>> Nerd
>>>>> shirt too!
>>>>> http://p.sf.net/sfu/newrelic-dev2dev
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>> 
>>>>> Please visit http://blog.snort.org to stay current on all the
>>>>> latest Snort news!
>>> 
>>> ------------------------------------------------------------------------------
>>> Don't let slow site performance ruin your business. Deploy New Relic APM
>>> Deploy New Relic app performance management and know exactly
>>> what is happening inside your Ruby, Python, PHP, Java, and .NET app
>>> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
>>> http://p.sf.net/sfu/newrelic-dev2dev
>>> _______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
>> 
>> ------------------------------------------------------------------------------
>> Don't let slow site performance ruin your business. Deploy New Relic APM
>> Deploy New Relic app performance management and know exactly
>> what is happening inside your Ruby, Python, PHP, Java, and .NET app
>> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
>> http://p.sf.net/sfu/newrelic-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list