PaulDotCom mailing list archives

Advanced Snort analysis

From: eslerj at gmail.com (Joel Esler)
Date: Thu, 3 Dec 2009 22:24:13 -0600

On Thu, Dec 3, 2009 at 10:52 AM, Grymoire <pauldotcom at grymoire.com> wrote:


I want to make some sort of high level visualization of the IDS status
- using snort.

I am tryiung to use snort, mysql, acidbase, and munin, all of which
can be installed using Ubuntu's package manager. There's even a snort
plug-in for munin. Sounds easy, eh?

Well, the ducumentaiton sucks.

I looked at the Snort Statistics howto - and that's obsolete.

Not sure what you are looking for here though...

snortsnarf is non-supported and hard to find. So I found an old RPM,
installed it, and looking at it's output - it's just broken.

Yeah, don't use it.

I downloaded the source of snort, and according to the
documentation,contributed source can be found at
www.snort.org/dl/contrib - but the directory no longer exists.

Correct, we cleaned out a lot of the 3rd party projects that weren't

maintained anymore when we redid the site:
http://www.snort.org/downloads/additional-downloads/
is what is left.

Base, Snorby, Sguil..

There are many web pages, and even a book - the but book is 6 years
old, and many of the web documents are also as ancient.

Snort IDS and IPS toolkit is the most recent book.  I think that was one
was...  2006? 2007?

Suppose I want to have a real-time plot of IDS activities. What do
others use? And what documentation do you suggest?


I use text based alerting, but that's not really feasible for an unskilled
enterprise environment.


It's been frustrating....


The Snort-Users mailing list is also available for your reference.  Years of
archives as well as a place to ask your questions.  Please don't hesitate to
ask here, or there, there are plenty of people that have expertise in Snort
aside from me.


-- 
Joel Esler | 302-223-5974 | gtalk: jesler at sourcefire.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091203/1de4e67e/attachment.htm

Current thread:

Advanced Snort analysis Grymoire (Dec 03)
- Advanced Snort analysis Rob Fuller (Dec 03)
- Advanced Snort analysis Joel Esler (Dec 03)
- <Possible follow-ups>
- Advanced Snort analysis Grymoire (Dec 04)
  - Advanced Snort analysis Robert Miller (Dec 04)
  - Advanced Snort analysis Robert Miller (Dec 04)
  - Advanced Snort analysis Joel Esler (Dec 04)