[Snort-users] general questions

waldo kitty wkitty42 at ...14940...
Fri Mar 29 15:24:51 EDT 2013

On 3/29/2013 10:40, Mohammad MontazerI wrote:
> --------------------------------------------------------------------------------
>> Hello dear all.
>> i had a few questions which some of them has been answered but some is not.
>> 1- which rule manager is better and wherei can download it?

this is speculative at best... we currently use oinkmaster but are looking at 
pulledpork... they each have their differences of which some are positive and 
others are negative but this is also related to one's environment and how they 
want/need to manage their rules...

for example, pulledpork has some sort of policy method where you can select 
balanced, security or a third one for your rules and only those rules with that 
metadata will be enabled in your rules file... oinkmaster, on the other hand, 
doesn't know anything about any metadata so all the rules that you have told 
oinkmaster to use are enabled in your rules files...

and there i also named a subtle difference between them, as well... oinkmaster 
leaves all your rules in their individual rules files... pulledpork merges them 
all into one huge rules file... i think i read that pulled pork can leave them 
in their original files but i'm not certain of that... again, it depends on 
/how/ *you* want to manage your rules...

most of out installations are quite happy with oinkmaster and simply adding 
disablesid, enablesid or modifysid options to an included oinkmaster config file 
without anything else stepping in the way and doing something else not 
understood or desired...

personally, i'm not aware of any of our systems using any specific policy nor 
have there been any requests for such... in the worst case, all rules are 
enabled and are then weeded down to only those that are required for that 
particular network and/or network segment...

>> 2- is there any software which i can use it to read the log files?(something
>> give more options )

you'll have to be more specific... many of our sites simply use less to browse 
thru the log files... we also have a page in our GUI that parses the alert file 
into something a bit more human readable but some important information is still 
missing (ie: no GID:SID:rev, only the rule's msg)... you have this problem of 
"missing or cryptic information" with the raw alert file, anyway... this is why 
there are the references included in the rules and those are then linked to the 
actual documentation of the reference in those cases where there is any 
documentation (ie: CVEs)...

NOTE: personally i have not looked at any of the existing "consolidation" 
packages like snorby (first name that came to mind) and others which have all 
kinds of pretty graphs and output... if we are looking for stats, then we run 
quite simple greps and similar stats counting methods... nothing fancy and no 
databases or other storage methods necessary (or desired in our cases)... yes, 
that means that we work with the raw alert file and the raw pcap files when we 
need to dig into them...

More information about the Snort-users mailing list