[Snort-users] general questions
wkitty42 at ...14940...
Fri Mar 29 15:24:51 EDT 2013
On 3/29/2013 10:40, Mohammad MontazerI wrote:
>> Hello dear all.
>> i had a few questions which some of them has been answered but some is not.
>> 1- which rule manager is better and wherei can download it?
this is speculative at best... we currently use oinkmaster but are looking at
pulledpork... they each have their differences of which some are positive and
others are negative but this is also related to one's environment and how they
want/need to manage their rules...
for example, pulledpork has some sort of policy method where you can select
balanced, security or a third one for your rules and only those rules with that
metadata will be enabled in your rules file... oinkmaster, on the other hand,
doesn't know anything about any metadata so all the rules that you have told
oinkmaster to use are enabled in your rules files...
and there i also named a subtle difference between them, as well... oinkmaster
leaves all your rules in their individual rules files... pulledpork merges them
all into one huge rules file... i think i read that pulled pork can leave them
in their original files but i'm not certain of that... again, it depends on
/how/ *you* want to manage your rules...
most of out installations are quite happy with oinkmaster and simply adding
disablesid, enablesid or modifysid options to an included oinkmaster config file
without anything else stepping in the way and doing something else not
understood or desired...
personally, i'm not aware of any of our systems using any specific policy nor
have there been any requests for such... in the worst case, all rules are
enabled and are then weeded down to only those that are required for that
particular network and/or network segment...
>> 2- is there any software which i can use it to read the log files?(something
>> give more options )
you'll have to be more specific... many of our sites simply use less to browse
thru the log files... we also have a page in our GUI that parses the alert file
into something a bit more human readable but some important information is still
missing (ie: no GID:SID:rev, only the rule's msg)... you have this problem of
"missing or cryptic information" with the raw alert file, anyway... this is why
there are the references included in the rules and those are then linked to the
actual documentation of the reference in those cases where there is any
documentation (ie: CVEs)...
NOTE: personally i have not looked at any of the existing "consolidation"
packages like snorby (first name that came to mind) and others which have all
kinds of pretty graphs and output... if we are looking for stats, then we run
quite simple greps and similar stats counting methods... nothing fancy and no
databases or other storage methods necessary (or desired in our cases)... yes,
that means that we work with the raw alert file and the raw pcap files when we
need to dig into them...
More information about the Snort-users