Snort mailing list archives
Re: Snorby opinions
From: Martin Holste <mcholste () gmail com>
Date: Mon, 6 Jun 2011 19:17:25 -0500
Good discussion! I think it's good to reevaluate the status quo every so often, so taking a look at one's analysis console to see if it can be improved upon is worthwhile. Shawn, since you've modified BASE to fit your environment, you'll see less bang-for-buck in upgrading to Snorby. Most BASE users do not have single-click access to pcap/streams, and that alone makes upgrading worthwhile. However, Dustin's points are correct--tagging, workflow, reporting--these kinds of advanced features are critical in a lot of medium to large environments, and are surprisingly helpful even in small environments. Either way, having multiple viable options for viewing your alerts is important for the community to ensure quality--I like to see the bar continue to be pushed upward. On Mon, Jun 6, 2011 at 12:38 PM, Dustin Webber <dustin.webber () gmail com> wrote:
All, I would like to clarify that I was talking about the languages -- not applications written in them. If you're a good programmer you could build amazing applications with anything. Just consider all languages before you start a new project. If that language works best for the job... then use it. (except php.. never use that.) Honestly.. we should all be writing in TCL anyways... Dustin W. Webber Dustin.Webber () gmail com On Mon, Jun 6, 2011 at 12:30 PM, Dustin Webber <dustin.webber () gmail com> wrote:Snorby is not about being `flashy` - It's about proper interface design and workflow. The ability to produce metrics and quickly navigate (hotkeys), classify and investigate are a few of snorbys strengths. Snorby will be moving to a custom collection/processing system soon using my unified2 lib (https://github.com/mephux/unified2) and the snorby-collect cl tool (https://github.com/Snorby/snorby-collect). This will open a few doors for snorby users likes event preprocessing/categorization before insert/storage using a simple and clean DSL (Like a unified2 ORM - supporting all modern datastores: key/value, mongodb etc..). You will have the ability to design the datastore to fit your needs and snorby will just sit on top with a translation layer. The security community seems to have a personal vendetta with design and new technology. I'm not sure I will ever fully understand why but in my eyes if we don't start moving forward and accepting UX theory and incorporating new technologies (yes, lets stop using perl and php please) we will never evolve. </rant> Sometimes pretty does not mean gimmick, we just cared about it. Dustin W. Webber Dustin.Webber () gmail com On Mon, Jun 6, 2011 at 12:06 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote:I'm one of those BASE people still... It's difficult to move off of it now, since I've modified it to link with my patch management and AV/HIPS products (as well as StreamDB and OpenFPC). What does Snorby give you that BASE doesn't (besides a much flashier GUI?) -----Original Message----- From: Martin Holste [mailto:mcholste () gmail com] Sent: Sunday, June 05, 2011 9:58 AM To: Lay, James Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snorby opinions Snorby is great--anyone still messing around with BASE is missing out! Also, if you want a ridiculously fast packet capture tool to integrate with Snorby, you can use StreamDB (streamdb.googlecode.com) as a drop-in replacement for OpenFPC (Snorby hooks into OpenFPC under "Packet Capture Options"). Your packets (streams in this case) will load instantaneously (versus a minute or more with OpenFPC on large pcaps). On Fri, Jun 3, 2011 at 10:02 AM, Lay, James <james.lay () wincofoods com> wrote:Hey all! Topic says it..anyone run Snorby here? Would love to get some opinions.I'm needing something more.."pretty" (though personally I think tailing .fast logs in a console is pretty). Thanks for any input. James ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snorby opinions, (continued)
- Re: Snorby opinions Martin Holste (Jun 05)
- Re: Snorby opinions Lay, James (Jun 06)
- Re: Snorby opinions Jefferson, Shawn (Jun 06)
- Re: Snorby opinions Dustin Webber (Jun 06)
- Re: Snorby opinions Dustin Webber (Jun 06)
- Re: Snorby opinions Randal T. Rioux (Jun 06)
- Re: Snorby opinions Dustin Webber (Jun 06)
- Re: Snorby opinions Randal T. Rioux (Jun 06)
- Re: Snorby opinions Joel Esler (Jun 06)
- Re: Snorby opinions Paul Halliday (Jun 06)
- Re: Snorby opinions Martin Holste (Jun 05)
- Re: Snorby opinions Martin Holste (Jun 06)