Snort mailing list archives
Re: BASE or Snort Report ???
From: "Champ Clark III [Softwink]" <champ () softwink com>
Date: Wed, 5 Jan 2011 11:36:12 -0500
On the topic of vaporware, didn't BASE get dumped some time ago as well?
Kevin Johnson (the primary lead developer) left the BASE project last year. I don't think the project is dead, but being "re-implemented". That's from what I understand....
Two jobs ago I wrote a custom interface using Python/Pylons that had realtime views and analysis. At my last position I put Snorby in place and that was a real treat, blew me away with the reports available and interface. They just released 2.0 which I had been waiting for, but I've since left that company and I've graduated from dealing with such things.
Snorby is the bomb. It lacks a few things we need for our enviroments, but over all... I highly recommend Snorby.
Chose something that will have room to grow and has, at the minimum, a current set of interested developers. As a few others have pointed out you might want to consider using plugins for snort to send alerts or using syslog to deal with alerts, syslog-ng can handle alerts all on its own with quite a bit of intelligence. I always liked using a notification system outside of Snort as there are many other things in the admin world that require attention. I keep them in a central place with a central syslog-ng or monitoring system.
Hence, Sagan (sagan.softwink.com). It'll not only "e-mail" out events, but take log events that are triggered by the Sagan rule set (which, is incredibly similar to a Snort rule set) and plug them into a database. That is, then your Snort IDS/IPS events will be at a sensor ID _and_ your log events will be in another sensor ID (Sagan's). This way, you can use Snorby (or whatever) to generate reports, view correlated events, etc.... Oh, and e-mail out events in real time if needed :) -- Champ Clark III | Softwink, Inc | 800-538-9357 x 101 http://www.softwink.com GPG Key ID: 58A2A58F Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F If it wasn't for C, we'd be using BASI, PASAL and OBOL.
Attachment:
_bin
Description:
------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: BASE or Snort Report ???, (continued)
- Re: BASE or Snort Report ??? Joe Pampel (Jan 04)
- Re: BASE or Snort Report ??? Jefferson, Shawn (Jan 04)
- Re: BASE or Snort Report ??? Champ Clark III [Softwink] (Jan 04)
- Re: BASE or Snort Report ??? Tilley, Brad (Jan 05)
- Re: BASE or Snort Report ??? Martin Holste (Jan 05)
- Re: BASE or Snort Report ??? Paul Halliday (Jan 04)
- Re: BASE or Snort Report ??? Garland, Ken R (Jan 04)
- Re: BASE or Snort Report ??? Bamm Visscher (Jan 05)
- Re: BASE or Snort Report ??? Jun Wan (Jan 06)
- Re: BASE or Snort Report ??? Crusty Saint (Jan 06)
- Re: BASE or Snort Report ??? Garland, Ken R (Jan 04)
- Re: BASE or Snort Report ??? Champ Clark III [Softwink] (Jan 05)
- Re: BASE or Snort Report ??? Randal T. Rioux (Jan 04)