Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort web interface

From: Dustin Webber <dustin.webber () gmail com>
Date: Tue, 23 Aug 2011 22:35:14 -0400
Alex,

The yahoo reference was intended to provoke conversation about change.
People tend to have a confort zone about software that is inevitably leading
to his/her doom. As a software engineer i don' even understand the word
`preference` or `preferrer`.. only what is suitable for the current problem.

By all means.. continue using BASE if you are comfortable with it and if its
a common dependence. I mean, people still write lisp.. so i guess thats ok,,
right?

Dustin W. Webber
Dustin.Webber () gmail com


On Tue, Aug 23, 2011 at 10:27 PM, Alex Wright <wrightalexw () yahoo com> wrote:


I have a gmail also. I can reg that if it makes the gods happy. I responded
saying BASE is standard oh no. It is a common standard. OSS means you
decide.


Sent from Yahoo! Mail on Android

 ------------------------------
* From: * Dustin Webber <dustin.webber () gmail com>;
* To: * Alex Wright <wrightalexw () yahoo com>;
* Cc: * mcholste () gmail com <mcholste () gmail com>;
snort-users () lists sourceforge net <snort-users () lists sourceforge net>;
* Subject: * Re: [Snort-users] snort web interface
* Sent: * Wed, Aug 24, 2011 2:22:28 AM

  Alex,

Pain?.. dude, you are using yahoo mail.. you really expected use to take
you seriously? You offered advise based on age?. `Whats the center of the
universe?` said person X. `Well, the sun obviously.. based on age and
commonality.`

please..

Dustin W. Webber
Dustin.Webber () gmail com


On Tue, Aug 23, 2011 at 10:19 PM, Alex Wright <wrightalexw () yahoo com>wrote:


So much pain.


Sent from Yahoo! Mail on Android

 ------------------------------
* From: * Dustin Webber <dustin.webber () gmail com>;
* To: * Alex Wright <wrightalexw () yahoo com>;
* Cc: * mcholste () gmail com <mcholste () gmail com>;
snort-users () lists sourceforge net <snort-users () lists sourceforge net>;
* Subject: * Re: [Snort-users] snort web interface
* Sent: * Wed, Aug 24, 2011 2:13:49 AM


Alex,

Like I said.. not trying to be mean.. think of it as `information security
intervention`. - Sometime the truth feels like an insult.. but its just
the truth.

Dustin W. Webber
Dustin.Webber () gmail com


On Tue, Aug 23, 2011 at 10:10 PM, Alex Wright <wrightalexw () yahoo com>wrote:


 I responded to the popular half. And agreed with you. I'm sure insults
commonly progress things though.


 Sent from Yahoo! Mail on Android

 ------------------------------
* From: * Dustin Webber <dustin.webber () gmail com>;
* To: * Alex Wright <wrightalexw () yahoo com>;
* Cc: * mcholste () gmail com <mcholste () gmail com>;
snort-users () lists sourceforge net <snort-users () lists sourceforge net>;
 * Subject: * Re: [Snort-users] snort web interface
* Sent: * Wed, Aug 24, 2011 2:06:14 AM


Well.. VI is pretty common.. but if you use that over VIM,, well you're
just an idiot. -- dude, not trying to be mean.. but srsly.. you are setting
us all back in evolution.. just stop.

Dustin W. Webber
Dustin.Webber () gmail com


On Tue, Aug 23, 2011 at 10:04 PM, Alex Wright <wrightalexw () yahoo com>wrote:


 Superiority doesn't prevent BASE from being common.

-adam


Sent from Yahoo! Mail on Android

 ------------------------------
* From: * Dustin Webber <dustin.webber () gmail com>;
* To: * Martin Holste <mcholste () gmail com>;
* Cc: * Snort <snort-users () lists sourceforge net>;
 * Subject: * Re: [Snort-users] snort web interface
* Sent: * Wed, Aug 24, 2011 1:55:52 AM

  All,

Very concerned with the comments by James Lay and Adam
Wright... Idiotic to say the least... anyways..

Second, I don't think I have ever heard anyone sum up how important full
packet capture is then Martin Holste just did (since Bam/Richard of course).
I'm biases in this decision because I started and maintain snorby but if you
decided to use another tool please make sure it follows the NSM guidelines.
Sguil, snorby, Squert and the upcoming nsmframework are your best
options for a proper IR/NSM solutions.

Martin, I would like to work with you on getting StreanDB a proper
snorby plugin/menu selection.

Dustin W. Webber
Dustin.Webber () gmail com
(913) 375-2798


On Tue, Aug 23, 2011 at 9:41 PM, Martin Holste <mcholste () gmail com>wrote:


I agree with Jason:  BASE is dead and clunky, and not all that easy to
install.  If you are looking for a dead simple install with no traffic
integration, then I suggest having Snort (or barnyard) output to
syslog and send it to a personal version of Splunk, which is free.
You can get that up and running in about five minutes.  However,
Snorby is superior and worth putting a few more (but not too many
more) minutes of time because you get the packet integration.  In my
opinion, unless you have access to the traffic you are inspecting with
your IDS in some sort of raw form, you are operating a crippled
installation and have no way to make informed decisions about good or
bad events on the network.

I will also mention that Snorby integrates with my
StreamDB.googlecode.com project which is OpenFPC compatible, but
several orders of magnitude faster than OpenFPC.  So my recommendation
would be to use Snorby with StreamDB.  Sguil is rock solid, but pcap
retrieval is just too slow for my taste, and so that precludes running
Squert.

On Tue, Aug 23, 2011 at 8:03 PM, Jason Meller <jason.meller () gmail com>
wrote:

Alexus,
Full disclosure, I work with Mephux on Snorby but I don't think James

or

Alex correctly or accurately answered your question, so I wanted to

throw in

my $0.02.

BASE is a dead project and hasn't had a new feature pushed since 2008

(3

years ago). It doesn't plug in with any of the packet capture

frameworks out

there and its interface is disorganized compared to the other

available

front-ends. It's dead, let's move on. Supporting a dead open-source

project

hurts the actively developed efforts out there.

Squert is a bad ass project in active development. One thing James

didn't

mention though is that it requires SQUIL which utilizes an entirely
different DB schema than the ones provided by the snort/barnyard2 db

output

plugins. SQUIL requires a bit more expertise to get up and running

than your

standard Snort + front-end solution. If you want to go that route

Squert is

a good SGUIL companion.

Snorby is a RECENT development in the community, It was first

introduced in

2009 and has far surpassed BASE in functionality. I work with Mephux
developing Snorby and here are some of the reasons I would recommend

it to

anyone:

It's actively developed by two passionate NSM analysts.
It allows you to pivot on datapoints in the events without

interrupting

analyst's thought process (rule content, related alerts, ip

arin/whois data)

It integrates with OpenFPC and Solera DeepSee products for Full

Packet

Capture.
It has exportable and beautiful PDF reports and metrics.

The security industry is evolving so rapidly that choosing a dead

project

like BASE for your SOC, MSSP, CIRT, or even personal use is just

setting you

up for failure.

Other people agree with this assessment and that is why the project

has been

accepted into Security Onion Distro and featured on The Change Log.
Other analysts are excited about Snorby as well. Check out these

articles:


http://beboblog.johnbebo.com/2011/08/13/snorby-as-ids.aspx
http://www.aldeid.com/wiki/An-interesting-forensics-analysis

If you want to check out Snorby check out our live demo at
http://demo.snorby.org (u: demo () snorby org, p: snorby)
If you want to test out Snorby in your environment, check out

Insta-Snorby

(www.snorby.org), it's a turn-key Snorby.
Enjoy the project and please support us!
Mephux and Terracatta
On Tue, Aug 23, 2011 at 7:34 PM, James Lay <jlay () slave-tothe-box net>

wrote:



On 8/23/11 5:04 PM, "alexus" <alexus () gmail com> wrote:


I was wondering what's popular/good web interfaces these days?

--
http://alexus.org/






--------------------------------------------------------------------------

----
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management
Up to 160% more powerful than alternatives and 25% more efficient.
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the

latest

Snort news!


BASE seems to give the maximum amount of information/reports vs.

ease of

install.  SQueRT is awesome, but does require a few extra processes
running.  Snorby is "ok"...not very good for reports at least in my
experience.  For SQueRT and Snorby, it's pretty crucial that you

have a

tuned snort install since you don't have an easy method to delete

entries.


James






------------------------------------------------------------------------------

EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management
Up to 160% more powerful than alternatives and 25% more efficient.
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the

latest Snort

news!





------------------------------------------------------------------------------

EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management
Up to 160% more powerful than alternatives and 25% more efficient.
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest

Snort

news!




------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management
Up to 160% more powerful than alternatives and 25% more efficient.
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!











------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: