Snort mailing list archives

Re: Am I in the right place? (was: Tips for using ACID in a multi-adm in environment)

From: Bamm Visscher <bamm () satx rr com>
Date: Thu, 29 May 2003 15:20:24 -0500

Jon,

I have both of these messages saved, with the intent on replying in detail to both. Unfortuneatly, I haven't had a lot
of extra time on my hands lately. I do work for a Fortune 500 Company, and we use snort very successfully. We have
sensors in many different locations, and I work remotely (telecommute). Although we use snort as our 'base' IDS, we
have our own interface and DB schema. For reasons I won't go into detail about, we cannot release that interface. I am,
however, working on a opensource project that will replace our proprietary implementation at some point. This project
can be found on sourceforge at http://sguil.sourceforge.net. Sguil allows multiple clients to connect, and work
together while monitoring multiple sensors. Events are analyzed and then placed into different incident categories, or
marked 'NA' (for no further action required). When an analyst marks an event (or a series of events) for
classification, it is removed from all connected consoles. The events remain in the DB, with a history of who
categorized the event and any comments the analyst made on it. "Archived" events can be pulled back up in the console
with simple SQL queries. Sguil also provides a series of hooks to other third party tools like ethereal, p0f, and
tcpflow. I suppose I could go on and on, and we really do need to develop an analysts guide for using sguil (time,
time, time!), but your best bet is to download it and give it a whirl. I'll gladly answer any questions you may have
and am more than willing to accept any critcism or help you have to offer. My goal (with the support of my management),
is to build a tool that is truely useful for us, and companies like ours, with support of the opensource community. The
worst part of having a proprietary system, is knowing that if key individuals go away, so does your support.

Bammkkkk

On Thu, May 29, 2003 at 01:46:02PM -0500, Williams Jon wrote:

I apologize if this seems a bit troll-like, I don't intend it to be.  I
posted this message a couple of weeks ago and got zero responses.  A few
days later, someone else asked about Fortune 500 users and I saw, I think,
one response.  While I read this list a lot, I'm starting to wonder if I'm
asking questions in the right place.

I've been using snort for a while now, something like 2-3 years, and am
monitoring a moderate amount of traffic (i.e. the busiest box is watching
between 50-60 mbps sustained during business hours, and I've got several
scattered across multiple timezones).  I believe, rightly or wrongly, that
I've gone through the same phases that I see a lot of people go through on
this list (how do I build it, why doesn't it run, why do I get so many
alerts for stuff I don't care about, how do I write a custom rule) and am
now starting to ask other questions, like the one below.  Since I don't get
any response, I'm not sure if a) people are too concerned about their
corporate security to share, b) are willing to share but are no longer on
this particularl list, c) are willing to answer, but my situation is unique,
or d) there's no answer to my problems.

So, is there a better list for advanced snort issues and/or enterprise snort
deployment questions?  If not, are there people on this list who've gone
through these issues and don't want to discuss them in a public forum?  As I
said, I'm not trying to be a rabble-rouser, it's just that the great support
from the mailing list was one of the selling points when I convinced
management to go Open Source, so it's a bit confusing/embarassing when I
send out questions that get no response at all.

Thanks!

Jon



-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Am I in the right place? (was: Tips for using ACID in a multi-adm in environment) Williams Jon (May 29)
- Re: Am I in the right place? (was: Tips for using ACID in a multi-adm in environment) Bamm Visscher (May 29)
- RE: Am I in the right place? (was: Tips for using ACID in a multi-adm in environment) dave (May 29)
- Re: Am I in the right place? (was: Tips for using ACID in a multi-adm in environment) Brian (May 29)
- Re: Am I in the right place? (was: Tips for using ACID in a multi-adm in environment) Erek Adams (May 29)
- <Possible follow-ups>
- RE: Am I in the right place? (was: Tips for using ACID in a multi-adm in environment) Jonathan Jesse (May 30)