[Snort-users] There appears to be a bug in Base-1.4.5

AllowOverride allowoverride at ...11827...
Wed Oct 10 11:39:42 EDT 2012


quit whining, the more you say to me that is off topic, the more i will
just say back. normal human reaction. ;)

On Wed, 2012-10-10 at 00:44 -0400, Dustin Webber wrote:
> Jeremy,
> 
> Amen, I starting to lose a lot of respect for this mailing list over the past year until that email. A little-bit regained, Props.
> 
> - Dustin
> 
> On Oct 9, 2012, at 9:39 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
> 
> > Did you even look at what Snorby is or does?  SnorbyCloud is something
> > new, in testing and requires a server somewhere else.  However Snorby
> > itself runs locally is free and unless Dustin changes his mind will
> > always be free..
> > 
> > Take the time read a bit before you criticize what someone else is
> > doing or has done.
> > 
> > On Tue, Oct 9, 2012 at 7:16 PM, AllowOverride <allowoverride at ...11827...> wrote:
> >> free invite, pay later? no thanks...
> >> 
> >> On Tue, 2012-10-09 at 19:23 -0400, Dustin Webber wrote:
> >>> Shawn,
> >>> 
> >>> 
> >>> Yes, the things you listed below have been added. I can agree that
> >>> before these features were added (most notably the uniq events) it was
> >>> a little bit of a pain to navigate.
> >>> 
> >>> 
> >>> In snorby (this is in dev but will be pushed to master this weekend)
> >>> each sensor can be configured independently. So if you don't want to
> >>> cluster openFPC or streamDB you can add a different API url to each
> >>> sensor.
> >>> 
> >>> 
> >>> Good call on locking that box down but in those situations i feel so
> >>> dirty i can't sleep at night. hehe maybe not that extreme but you get
> >>> my point.
> >>> 
> >>> 
> >>> Anyway, thanks for your feedback and I hope you get a chance to try
> >>> Snorby out again in the future. sign up a cloud.snorby.org and i'll
> >>> give you a beta invite so you can test it and help better the
> >>> software.
> >>> 
> >>> 
> >>> - Dustin
> >>> 
> >>> 
> >>> P.S Everyone, Snorby is actively developer - if you want features
> >>> please ask, we are willing to pretty much add anything people request.
> >>> 
> >>> 
> >>> 
> >>> 
> >>> 
> >>> 
> >>> On Oct 9, 2012, at 7:11 PM, "Jefferson, Shawn"
> >>> <Shawn.Jefferson at ...14448...> wrote:
> >>> 
> >>>> Hi Dustin,
> >>>> 
> >>>> I'd like all alerts to be "rolled up" into one line like BASE does.
> >>>> I'd like to be able to have the "unique IP links" per SID view like
> >>>> BASE has.  I didn't see that last time I looked at snorby, maybe
> >>>> that is there and I missed it?
> >>>> 
> >>>> As far as StreamDB/OpenFPC, can you have both of them at the same
> >>>> time?  The lookup API sounds interesting... I'll have to look into
> >>>> that again.  HIPS is SEP, it's a MSSQL database... (there is a
> >>>> possibility to use Symantec System Center and hook into that.)
> >>>> 
> >>>> No, I'd rather use your product-but it didn't fit my requirements at
> >>>> the time, if it does now, that's great!  As far as vulns in BASE,
> >>>> I'm sure there is, but I have it very locked down... I don't let
> >>>> just any computer connect to it-which in my case is an adequate
> >>>> compensating control (among others.)
> >>>> 
> >>>> 
> >>>> 
> >>>> -----Original Message-----
> >>>> From: Dustin Webber [mailto:dustin.webber at ...11827...]
> >>>> Sent: Tuesday, October 09, 2012 3:54 PM
> >>>> To: Jefferson, Shawn
> >>>> Cc: Snort-Users Users
> >>>> Subject: Re: [Snort-users] There appears to be a bug in Base-1.4.5
> >>>> 
> >>>> Shawn,
> >>>> 
> >>>> What is your "workflow"? I am curious to hear how snorby can't adapt
> >>>> to it. Also, Snorby supports StreaDB and OpenFPC and with the lookup
> >>>> source api in snorby adding CVE queries would be dead simple.
> >>>> Integration with you HIPS is another story since you didn't name the
> >>>> product you use but I bet that likely is already there as well.
> >>>> 
> >>>> If I understood you correctly you are willing to jump start a dead
> >>>> project (mad vulns exist in the code base still un-patched) then
> >>>> commit to a new actively developer project? I'm not sure I
> >>>> understand the logic in this, can you explain more?
> >>>> 
> >>>> - Dustin
> >>>> 
> >>>> On Oct 9, 2012, at 6:43 PM, "Jefferson, Shawn"
> >>>> <Shawn.Jefferson at ...14448...> wrote:
> >>>> 
> >>>>> Who is officially the "maintainer" of BASE now?  Is BASE 2.x still
> >>>>> being worked on?
> >>>>> 
> >>>>> Personally I like BASE 1.4.5, and have added a few features to my
> >>>>> version of it that improves the analyst experience (IMO, and in my
> >>>>> network).  I've seen the messages about it being dead, and I've
> >>>>> been thinking someone should take it over... (maybe even me,
> >>>>> although I'm not a developer by trade, I can hack around in php...
> >>>>> someone else would be better, but no one seems to be stepping up
> >>>>> to the plate?)  Some support is better than no support I guess?
> >>>>> 
> >>>>> Snorby is probably a better option, but at the moment, the
> >>>>> "workflow"
> >>>>> in Snorby doesn't match my needs (and the fact I've made
> >>>>> modifications
> >>>>> to add CVE lookup to patch management, StreamDB and OpenFPC
> >>>>> lookup,
> >>>>> and also correlation with my HIPS product.)
> >>>>> 
> >>>>> 
> >>>>> -----Original Message-----
> >>>>> From: Castle, Shane [mailto:scastle at ...14946...]
> >>>>> Sent: Tuesday, October 09, 2012 1:23 PM
> >>>>> To: snort-users
> >>>>> Subject: Re: [Snort-users] There appears to be a bug in Base-1.4.5
> >>>>> 
> >>>>> Actually, there are lots of bugs in BASE-1.4.5. And, the answer
> >>>>> seems to be: nobody. You can go to the web site
> >>>>> (http://base.secureideas.net/) and add your bug report to those
> >>>>> already there (Under Support/Bug reporting) but it's not really
> >>>>> going to be seen by anyone useful, and nothing will come of it.
> >>>>> 
> >>>>> Yes, we might as well face it: BASE is dead. It was pretty good
> >>>>> while it lasted, and I used it right up until I took the Security
> >>>>> Onion pledge. Now my primary tool is the Sguil client and I rarely
> >>>>> use Snorby (sorry, Dustin - I just don't like it).
> >>>>> 
> >>>>> (Removed snort-team from CC list - they have zero interest in BASE
> >>>>> and
> >>>>> this is just noise to them.)
> >>>>> 
> >>>>> --
> >>>>> Shane Castle
> >>>>> Data Security Mgr, Boulder County IT
> >>>>> 
> >>>>> 
> >>>>> ----------------------------------------------------------------------
> >>>>> -------- Don't let slow site performance ruin your business.
> >>>>> Deploy
> >>>>> New Relic APM Deploy New Relic app performance management and
> >>>>> know
> >>>>> exactly what is happening inside your Ruby, Python, PHP, Java,
> >>>>> and
> >>>>> .NET app Try New Relic at no cost today and get our sweet Data
> >>>>> Nerd
> >>>>> shirt too!
> >>>>> http://p.sf.net/sfu/newrelic-dev2dev
> >>>>> _______________________________________________
> >>>>> Snort-users mailing list
> >>>>> Snort-users at lists.sourceforge.net
> >>>>> Go to this URL to change user options or unsubscribe:
> >>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>>> Snort-users list archive:
> >>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>>> 
> >>>>> Please visit http://blog.snort.org to stay current on all the
> >>>>> latest Snort news!
> >>> 
> >>> ------------------------------------------------------------------------------
> >>> Don't let slow site performance ruin your business. Deploy New Relic APM
> >>> Deploy New Relic app performance management and know exactly
> >>> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> >>> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> >>> http://p.sf.net/sfu/newrelic-dev2dev
> >>> _______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >> 
> >> 
> >> ------------------------------------------------------------------------------
> >> Don't let slow site performance ruin your business. Deploy New Relic APM
> >> Deploy New Relic app performance management and know exactly
> >> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> >> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> >> http://p.sf.net/sfu/newrelic-dev2dev
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >> 
> >> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list