Snort mailing list archives
RE: Base vs. Acid
From: Richard Bejtlich <taosecurity () gmail com>
Date: Fri, 26 Nov 2004 23:34:35 -0500
Stef wrote:
Could someone explain to me the exact needs being addressed by either, from an Intrusion Analyst point of view, when having at one's disposal Sguil? http://www.informit.com/articles/article.asp?p=350390 Stef
Hi Stef, I am the author of the book from which that Informit.com story was derived. [0] I did not invent the title "Why Sguil Is the Best Option for Network Security Monitoring Data." I guess the original title of chapter 10, "Alert Data: NSM Using Sguil" wasn't cool enough for Informit.com. :) Here's five reasons why Sguil is different from ACID, BASE, and similar products: 1. Sguil is a real-time interface to Snort alerts (and more). Sguil is not used with a Web browser. As Snort generates alerts, they appear in near-real-time (generally within a second or two) within a Tcl/Tk interface. Contrary to the reporting in O'Reilly's "Managing Snort and IDS Tools," which says "the only way to get a remote client to connect to a central server is by using an exported X-session" -- Sguil is natively client-server and does NOT need to export X sessions. [1] 2. Sguil is a Snort alert management system with integrated analyst accountability features. Users are not expected to passively let Snort pump alerts into the Sguil display for days and days. Analysts investigating security incidents using Sguil have the option to classify Snort events with a range of categories (I through VII, derived from the incident categories we used in the USAF). [2] When an analyst categorizes a Snort alert, it is marked in our database with the category, the analyst's login, a timestamp, and an optional comment. This accountability feature allows higher tier analysts to quality-review the work of lower tier analysts. For post-event investigations, analysts can query by category (say Cat VI -- reconnaissance) to see all activity of a certain type. They don't need to string together a possible set of Snort alert messages and query by those parameters. 3. Sguil offers growing alert handling capabilities. If an alert arrives that meets a type of your choosing, Sguil can email you selected alert details. If you want Snort to alert on certain types of activity, you can let Sguil auto-categorize the Snort alerts. For example, you could tell Sguil to always mark SQL Slammer events as Cat IIIs (attempted compromise). If a lower tier analyst doesn't know how to categorize an alert upon first review, she can escalate that alert to a new Sguil section reserved for higher tier review. (This is Sguil's "Escalated" tab.) This feature facilitates a multi-tiered analysis process where lower tier analysts deal with front-line alerts and more senior analysts deal with the more interesting alerts. 4. Sguil is built to minimize "window management," "form management," and other non-analytical tasks. Anyone who's used the interface from a large IDS company in Atlanta knows what I mean. The more time an analyst spends clicking through drill-down menus or moving around windows, the less time she spends investigating incidents. Querying the Sguil database can be done with pre-built queries, a query builder, or via raw, hand-built SQL statements. Sguil can be as flexible as the analyst using it. 5. Most importantly, Sguil is not limited to investigating events using Snort alert data alone. Sguil is the analyst console for Network Security Monitoring (NSM). NSM is the collection, analysis, and escalation of indications and warning to detect and respond to intrusions. Snort alerts are one form of NSM data; the others are session data, full content data, and statistical data. Sguil collects session data by integrating with SANCP, allowing analysts to collect summaries of conversations (or flows) between hosts, COMPLETELY INDEPENDENT of whether or not Snort generated an alert. [3] Sguil also collects full content data (libpcap traffic) COMPLETELY INDEPENDENT of whether or not Snort generated an alert. Sounds great, right? Here's what Sguil is not: 1. Sguil is not easy to install. Sguil 0.5.3 will arrive soon, but we have lots of work to do to ease installation prior to 1.0. Since Sguil is mostly written in Tcl/Tk, your host OS needs a variety of libraries that sometimes aren't installed by default. My install guide (tested on FreeBSD) addresses all of these issues. [4] Newbies worried about installation but looking to start using IDSs should start by sending their Snort alerts to a text file. (That would reduce the "no alerts in ACID database" messages to snort-users!) 2. Sguil is not a SIM or SEM product. We don't take in syslog, NT event logs, other host-based data, firewall logs, whatever. Sguil collects the NSM data we've found to be most useful for detecting and responding to incidents. Sguil has been deployed to investigate intrusions in some very interesting locations, and has been used to identify and resolve issues using the alert, session, and full content data Sguil collects --independent of router logs, etc. 3. Sguil is not an IPS (aka a layer-7 firewall.) If we said Sguil was an IPS, we might get more attention. The Sguil devs believe detection and prevention are separate security layers that should be provided by separate devices and processes. [5] Still, we are working with Frank Knobbe to integrate SnortSam. In the future analysts could right-click on an IP and shun it in the future. We haven't experimented with the new snort-inline functions of Snort 2.3 but they should work by default, as they are part of Snort itself. If you have any questions about Sguil or need help with installation, visit us in IRC at irc.freenode.net, #snort-gui. I also recommend reading the aforementioned book chapter or checking out the Sguil Flash demo. [6] Sincerely, Richard http://www.taosecurity.com [0] The Tao of Network Security Monitoring: Beyond Intrusion Detection (Addison-Wesley, 2005) http://www.taosecurity.com/books.html [1] http://www.mcabee.org/lists/snort-users/Sep-04/msg00588.html [2] http://sguil.sourceforge.net/index.php?page=incident_categories [3] http://www.metre.net/sancp.html [4] http://sguil.sourceforge.net/sguil_guide_latest.txt [5] Considering Convergence? http://www.taosecurity.com/publications.html [6] http://sguil.sourceforge.net/index.php?page=flashdemo ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Base vs. Acid Kenneth Jacker (Nov 27)
- <Possible follow-ups>
- RE: Base vs. Acid Esler, Joel - Contractor (Nov 27)
- Re: Base vs. Acid Stef (Nov 27)
- RE: Base vs. Acid Michael Steele (Nov 27)
- Re: Base vs. Acid Stef (Nov 27)
- RE: Base vs. Acid Esler, Joel - Contractor (Nov 27)
- Re: Base vs. Acid Edin Dizdarevic (Nov 27)
- RE: Base vs. Acid Esler, Joel - Contractor (Nov 27)
- RE: Base vs. Acid Turnquist,Wayne (Nov 27)
- RE: Base vs. Acid Kevin Johnson (Nov 27)
- Re: Base vs. Acid Joel Esler (Nov 29)
- RE: Base vs. Acid Kevin Johnson (Nov 27)
- RE: Base vs. Acid Richard Bejtlich (Nov 27)
- RE: Base vs. Acid James Lay (Nov 27)
- RE: Base vs. Acid Kevin Johnson (Nov 28)
- RE: Base vs. Acid Joel Esler (Nov 29)