<table cellspacing="0" cellpadding="0" border="0"><tr><td valign="top" style="font: inherit;"><p>So much pain.<br><br><br></p>
<p>Sent from Yahoo! Mail on Android</p>
</td></tr></table>            <div id="_origMsg_">
                <div style="font-family:arial, helvetica, sans-serif:font-size:10pt">
                    <br />
                    <div style="font-family:times new roman, new york, times, serif;font-size:12pt">
                        <font size="2" face="Tahoma">
                            <hr size="1">
                            <b>
                                <span style="font-weight:bold;">From:</span>
                            </b>
                            Dustin Webber <dustin.webber@...11827...>;                            <br>
                            <b>
                                <span style="font-weight:bold:">To:</span>
                            </b>
                            Alex Wright <wrightalexw@...131...>;                                                     <br>
                            <b>
                                <span style="font-weight:bold:">Cc:</span>
                            </b>
                            mcholste@...11827... <mcholste@...11827...>; snort-users@lists.sourceforge.net <snort-users@lists.sourceforge.net>;                                                                             <br>
                            <b>
                                <span style="font-weight:bold:">Subject:</span>
                            </b>
                            Re: [Snort-users] snort web interface                            <br>
                            <b>
                                <span style="font-weight:bold;">Sent:</span>
                            </b>
                            Wed, Aug 24, 2011 2:13:49 AM                            <br>
                            </font>
                            <br>
                            <table cellspacing="0" cellpadding="0" border="0">
                                <tbody>
                                    <tr>
                                        <td valign="top" style="font:inherit;"><div><br></div><div>Alex,</div><div><br></div><div>Like I said.. not trying to be mean.. think of it as `information security intervention`. - Sometime the truth feels like an <span class="Apple-style-span" style="color:rgb(51, 51, 51);font-family:arial, sans-serif;font-size:13px;background-color:rgb(255, 255, 255);">insult.. but its just the truth.</span></div>

<br clear="all">Dustin W. Webber<br><a rel="nofollow" ymailto="mailto:Dustin.Webber@...11827..." target="_blank" href="javascript:return">Dustin.Webber@...11827...</a><br>
<br><br><div class="gmail_quote">On Tue, Aug 23, 2011 at 10:10 PM, Alex Wright <span dir="ltr"><<a rel="nofollow" ymailto="mailto:wrightalexw@...131..." target="_blank" href="javascript:return">wrightalexw@...391...31...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">

<table cellspacing="0" cellpadding="0" border="0"><tbody><tr><td valign="top" style="font:inherit;"><p>I responded to the popular half.  And agreed with you.  I'm sure insults commonly progress things though.<br><br><br>

</p><div class="im">
<p>Sent from Yahoo! Mail on Android</p>
</div></td></tr></tbody></table>            <div>
                <div>
                    <br>
                    <div style="font-family:times new roman, new york, times, serif;font-size:12pt;">
                        <font size="2" face="Tahoma"><div class="im">
                            <hr size="1">
                            <b>
                                <span style="font-weight:bold;">From:</span>
                            </b>
                            Dustin Webber <<a rel="nofollow" ymailto="mailto:dustin.webber@...11827..." target="_blank" href="javascript:return">dustin.webber@...11827...</a>>;                            <br>
                            </div><b>
                                <span>To:</span>
                            </b>
                            Alex Wright <<a rel="nofollow" ymailto="mailto:wrightalexw@...131..." target="_blank" href="javascript:return">wrightalexw@...131...</a>>;                                                     <br>
                            <b>
                                <span>Cc:</span>
                            </b>
                            <a rel="nofollow" ymailto="mailto:mcholste@...11827..." target="_blank" href="javascript:return">mcholste@...13704......</a> <<a rel="nofollow" ymailto="mailto:mcholste@...11827..." target="_blank" href="javascript:return">mcholste@...11827...</a>>; <a rel="nofollow" ymailto="mailto:snort-users@lists.sourceforge.net" target="_blank" href="javascript:return">snort-users@lists.sourceforge.net</a> <<a rel="nofollow" ymailto="mailto:snort-users@...3783...net" target="_blank" href="javascript:return">snort-users@...4137...orge.net</a>>;                                                                             <br>

<div class="im">
                            <b>
                                <span>Subject:</span>
                            </b>
                            Re: [Snort-users] snort web interface                            <br>
                            </div><b>
                                <span style="font-weight:bold;">Sent:</span>
                            </b>
                            Wed, Aug 24, 2011 2:06:14 AM                            <br>
                            </font><div><div></div><div class="h5">
                            <br>
                            <table cellspacing="0" cellpadding="0" border="0">
                                <tbody>
                                    <tr>
                                        <td valign="top" style="font:inherit;"><div><br></div><div>Well.. VI is pretty common.. but if you use that over VIM,, well you're just an idiot. -- dude, not trying to be mean.. but srsly.. you are setting us all back in evolution.. just stop.</div>

<br clear="all">

Dustin W. Webber<br><a rel="nofollow">Dustin.Webber@...11827...</a><br>
<br><br><div class="gmail_quote">On Tue, Aug 23, 2011 at 10:04 PM, Alex Wright <span dir="ltr"><<a rel="nofollow">wrightalexw@...131...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">



<table cellspacing="0" cellpadding="0" border="0"><tbody><tr><td valign="top" style="font:inherit;"><p>Superiority doesn't prevent BASE from being common. <br></p>
<p>-adam<br><br><br></p><div>
<p>Sent from Yahoo! Mail on Android</p>
</div></td></tr></tbody></table>            <div>
                <div>
                    <br>
                    <div style="font-family:times new roman, new york, times, serif;font-size:12pt;">
                        <font size="2" face="Tahoma">
                            <hr size="1">
                            <b>
                                <span style="font-weight:bold;">From:</span>
                            </b>
                            Dustin Webber <<a rel="nofollow">dustin.webber@...11827...</a>>;                            <br>
                            <b>
                                <span>To:</span>
                            </b>
                            Martin Holste <<a rel="nofollow">mcholste@...11827...</a>>;                                                     <br>
                            <b>
                                <span>Cc:</span>
                            </b>
                            Snort <<a rel="nofollow">snort-users@...7287....sourceforge.net</a>>;                                                                             <br>

<div>
                            <b>
                                <span>Subject:</span>
                            </b>
                            Re: [Snort-users] snort web interface                            <br>
                            </div><b>
                                <span style="font-weight:bold;">Sent:</span>
                            </b>
                            Wed, Aug 24, 2011 1:55:52 AM                            <br>
                            </font><div><div></div><div>
                            <br>
                            <table cellspacing="0" cellpadding="0" border="0">
                                <tbody>
                                    <tr>
                                        <td valign="top" style="font:inherit;"><div>All,</div><div><br></div><div>Very concerned with the comments by James Lay and Adam Wright... Idiotic to say the least... anyways..</div>



<div><br></div><div>Second, I don't think I have ever heard anyone sum up how important full packet capture is then Martin Holste just did (since Bam/Richard of course). I'm biases in this decision because I started and maintain snorby but if you decided to use another tool please make sure it follows the NSM guidelines. Sguil, snorby, <span style="color:rgb(51, 51, 51);font-family:arial, sans-serif;font-size:13px;background-color:rgb(255, 255, 255);">Squert</span> and the upcoming nsmframework are your best options for a proper IR/NSM solutions.</div>





<div><br></div><div>Martin, I would like to work with you on getting StreanDB a proper snorby plugin/menu selection.</div><br clear="all">Dustin W. Webber<br><a rel="nofollow">Dustin.Webber@...11827...</a><br>

<a rel="nofollow">(913) 375-2798</a><br>
<br><br><div class="gmail_quote">On Tue, Aug 23, 2011 at 9:41 PM, Martin Holste <span dir="ltr"><<a rel="nofollow">mcholste@...11827...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">





I agree with Jason:  BASE is dead and clunky, and not all that easy to<br>
install.  If you are looking for a dead simple install with no traffic<br>
integration, then I suggest having Snort (or barnyard) output to<br>
syslog and send it to a personal version of Splunk, which is free.<br>
You can get that up and running in about five minutes.  However,<br>
Snorby is superior and worth putting a few more (but not too many<br>
more) minutes of time because you get the packet integration.  In my<br>
opinion, unless you have access to the traffic you are inspecting with<br>
your IDS in some sort of raw form, you are operating a crippled<br>
installation and have no way to make informed decisions about good or<br>
bad events on the network.<br>
<br>
I will also mention that Snorby integrates with my<br>
<a rel="nofollow" target="_blank" href="http://StreamDB.googlecode.com">StreamDB.googlecode.com</a> project which is OpenFPC compatible, but<br>
several orders of magnitude faster than OpenFPC.  So my recommendation<br>
would be to use Snorby with StreamDB.  Sguil is rock solid, but pcap<br>
retrieval is just too slow for my taste, and so that precludes running<br>
Squert.<br>
<div><br>
On Tue, Aug 23, 2011 at 8:03 PM, Jason Meller <<a rel="nofollow">jason.meller@...11827...</a>> wrote:<br>
</div><div><div></div><div>> Alexus,<br>
> Full disclosure, I work with Mephux on Snorby but I don't think James or<br>
> Alex correctly or accurately answered your question, so I wanted to throw in<br>
> my $0.02.<br>
><br>
> BASE is a dead project and hasn't had a new feature pushed since 2008 (3<br>
> years ago). It doesn't plug in with any of the packet capture frameworks out<br>
> there and its interface is disorganized compared to the other available<br>
> front-ends. It's dead, let's move on. Supporting a dead open-source project<br>
> hurts the actively developed efforts out there.<br>
><br>
> Squert is a bad ass project in active development. One thing James didn't<br>
> mention though is that it requires SQUIL which utilizes an entirely<br>
> different DB schema than the ones provided by the snort/barnyard2 db output<br>
> plugins. SQUIL requires a bit more expertise to get up and running than your<br>
> standard Snort + front-end solution. If you want to go that route Squert is<br>
> a good SGUIL companion.<br>
><br>
> Snorby is a RECENT development in the community, It was first introduced in<br>
> 2009 and has far surpassed BASE in functionality. I work with Mephux<br>
> developing Snorby and here are some of the reasons I would recommend it to<br>
> anyone:<br>
><br>
> It's actively developed by two passionate NSM analysts.<br>
> It allows you to pivot on datapoints in the events without interrupting<br>
> analyst's thought process (rule content, related alerts, ip arin/whois data)<br>
> It integrates with OpenFPC and Solera DeepSee products for Full Packet<br>
> Capture.<br>
> It has exportable and beautiful PDF reports and metrics.<br>
><br>
> The security industry is evolving so rapidly that choosing a dead project<br>
> like BASE for your SOC, MSSP, CIRT, or even personal use is just setting you<br>
> up for failure.<br>
><br>
> Other people agree with this assessment and that is why the project has been<br>
> accepted into Security Onion Distro and featured on The Change Log.<br>
> Other analysts are excited about Snorby as well. Check out these articles:<br>
><br>
> <a rel="nofollow" target="_blank" href="http://beboblog.johnbebo.com/2011/08/13/snorby-as-ids.aspx">http://beboblog.johnbebo.com/2011/08/13/snorby-as-ids.aspx</a><br>
> <a rel="nofollow" target="_blank" href="http://www.aldeid.com/wiki/An-interesting-forensics-analysis">http://www.aldeid.com/wiki/An-interesting-forensics-analysis</a><br>
><br>
> If you want to check out Snorby check out our live demo at<br>
> <a rel="nofollow" target="_blank" href="http://demo.snorby.org">http://demo.snorby.org</a> (u: <a rel="nofollow">demo@...15054...</a>, p: snorby)<br>
> If you want to test out Snorby in your environment, check out Insta-Snorby<br>
> (<a rel="nofollow" target="_blank" href="http://www.snorby.org">www.snorby.org</a>), it's a turn-key Snorby.<br>
> Enjoy the project and please support us!<br>
> Mephux and Terracatta<br>
> On Tue, Aug 23, 2011 at 7:34 PM, James Lay <<a rel="nofollow">jlay@...13475...</a>> wrote:<br>
>><br>
>><br>
>> On 8/23/11 5:04 PM, "alexus" <<a rel="nofollow">alexus@...11827...</a>> wrote:<br>
>><br>
>> >I was wondering what's popular/good web interfaces these days?<br>
>> ><br>
>> >--<br>
>> ><a rel="nofollow" target="_blank" href="http://alexus.org/">http://alexus.org/</a><br>
>> ><br>
>><br>
>> > >--------------------------------------------------------------------------<br>
>> >----<br>
>> >EMC VNX: the world's simplest storage, starting under $10K<br>
>> >The only unified storage solution that offers unified management<br>
>> >Up to 160% more powerful than alternatives and 25% more efficient.<br>
>> >Guaranteed. <a rel="nofollow" target="_blank" href="http://p.sf.net/sfu/emc-vnx-dev2dev">http://p.sf.net/sfu/emc-vnx-dev2dev</a><br>
>> >_______________________________________________<br>
>> >Snort-users mailing list<br>
>> ><a rel="nofollow">Snort-users@lists.sourceforge.net</a><br>
>> >Go to this URL to change user options or unsubscribe:<br>
>> ><a rel="nofollow" target="_blank" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
>> >Snort-users list archive:<br>
>> ><a rel="nofollow" target="_blank" href="http://www.geocrawler.com/redir-sf.php3?list=snort-users">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><br>
>> ><br>
>> >Please visit <a rel="nofollow" target="_blank" href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest<br>
>> >Snort news!<br>
>><br>
>> BASE seems to give the maximum amount of information/reports vs. ease of<br>
>> install.  SQueRT is awesome, but does require a few extra processes<br>
>> running.  Snorby is "ok"...not very good for reports at least in my<br>
>> experience.  For SQueRT and Snorby, it's pretty crucial that you have a<br>
>> tuned snort install since you don't have an easy method to delete entries.<br>
>><br>
>> James<br>
>><br>
>><br>
>><br>
>><br>
>> ------------------------------------------------------------------------------<br>
>> EMC VNX: the world's simplest storage, starting under $10K<br>
>> The only unified storage solution that offers unified management<br>
>> Up to 160% more powerful than alternatives and 25% more efficient.<br>
>> Guaranteed. <a rel="nofollow" target="_blank" href="http://p.sf.net/sfu/emc-vnx-dev2dev">http://p.sf.net/sfu/emc-vnx-dev2dev</a><br>
>> _______________________________________________<br>
>> Snort-users mailing list<br>
>> <a rel="nofollow">Snort-users@lists.sourceforge.net</a><br>
>> Go to this URL to change user options or unsubscribe:<br>
>> <a rel="nofollow" target="_blank" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
>> Snort-users list archive:<br>
>> <a rel="nofollow" target="_blank" href="http://www.geocrawler.com/redir-sf.php3?list=snort-users">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><br>
>><br>
>> Please visit <a rel="nofollow" target="_blank" href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort<br>
>> news!<br>
><br>
><br>
</div></div>> ------------------------------------------------------------------------------<br>
<div>> EMC VNX: the world's simplest storage, starting under $10K<br>
> The only unified storage solution that offers unified management<br>
> Up to 160% more powerful than alternatives and 25% more efficient.<br>
> Guaranteed. <a rel="nofollow" target="_blank" href="http://p.sf.net/sfu/emc-vnx-dev2dev">http://p.sf.net/sfu/emc-vnx-dev2dev</a><br>
> _______________________________________________<br>
> Snort-users mailing list<br>
> <a rel="nofollow">Snort-users@lists.sourceforge.net</a><br>
> Go to this URL to change user options or unsubscribe:<br>
> <a rel="nofollow" target="_blank" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
> Snort-users list archive:<br>
> <a rel="nofollow" target="_blank" href="http://www.geocrawler.com/redir-sf.php3?list=snort-users">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><br>
><br>
> Please visit <a rel="nofollow" target="_blank" href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort<br>
> news!<br>
><br>
<br>
</div>------------------------------------------------------------------------------<br>
<div><div></div><div>EMC VNX: the world's simplest storage, starting under $10K<br>
The only unified storage solution that offers unified management<br>
Up to 160% more powerful than alternatives and 25% more efficient.<br>
Guaranteed. <a rel="nofollow" target="_blank" href="http://p.sf.net/sfu/emc-vnx-dev2dev">http://p.sf.net/sfu/emc-vnx-dev2dev</a><br>
_______________________________________________<br>
Snort-users mailing list<br>
<a rel="nofollow">Snort-users@lists.sourceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a rel="nofollow" target="_blank" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a rel="nofollow" target="_blank" href="http://www.geocrawler.com/redir-sf.php3?list=snort-users">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><br>
<br>
Please visit <a rel="nofollow" target="_blank" href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!<br>
</div></div></blockquote></div><br>
</td>
                                    </tr>
                                </tbody>
                            </table>
                    </div></div></div>
                </div>
            </div>
</blockquote></div><br>
</td>
                                    </tr>
                                </tbody>
                            </table>
                    </div></div></div>
                </div>
            </div>
</blockquote></div><br>
</td>
                                    </tr>
                                </tbody>
                            </table>
                    </div>
                </div>
            </div>