Snort mailing list archives
Re: HELP ON SNORT
From: Dustin Webber <dustin.webber () gmail com>
Date: Sun, 29 Jan 2012 19:38:55 -0500
All, Cliffnotes: Snorby is not an archive interface and can scale very well when used properly. Snorby is using NEW technology and languages. (sorry?) hhmm, impractical use for large amounts of alerts? Well, Snorby is not an archive interface and it's intend for professionals that tune and know what they are looking for. I have heard these concerns as well and it always ended up being someone who didn't tune their sensor and had 150k events every 30 minutes. Listen, if someone can figure out how to scale this DB scheme to that amount of raw data and still build time based metrics.. You should be working for the Google R&D team.. Because you obviously figured out and to do quantum storage / processing. Anyway, Snorby does require ruby.. yes, you will need to install ruby related things; get over it. (we can;t use php and perl forever) - I built Snorby to scale if you use it properly and know what you're looking for.. it's not an archive viewer but a NSM tool. Hopefully this will clear up the confusing for new comers and `naysayers`. If you have more questions or concerns regarding snorby.. simple use the demo.. and that should be enough to connivence you. demo.snorby.org user: snorby () snorby org pass: snorby - Dustin On Jan 29, 2012, at 2:00 PM, Joel Esler wrote:
I've heard a lot of replies both on and off list in both directions. We try not to "endorse" a certain product over another unless it has a functionality that we depend on (hence why we recommend PulledPork and barnyard2). However, if a project is dead (not actively developed and has reduced functionality) I don't mind not recommending it. I've written the current BASE management in the past about missing functionality and have received 0 response. Dustin (Snorby) has always been responsive to me and the community. The naysayers for Snorby complain about it's difficulty in set up and it's impractical use for large amounts of alerts. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jan 29, 2012, at 11:37 AM, Martin Holste <mcholste () gmail com> wrote:The reasons that BASE should no longer are recommended are: 1. It is end-of-life. Dead. 2. There are many, many more but #1 is all you need. As pointed out by others, if you really want the least amount of hassle, go with SecurityOnion. You cannot find a better return on your security time investment anywhere. A few clicks and you have a fully-functional, well-managed IDS and console and an active support community. I'd wager that most people could get the entire IDS and console installed from bare metal in less time than it takes to install BASE. On Sat, Jan 28, 2012 at 11:28 AM, Dustin Webber <dustin.webber () gmail com> wrote:All, I just wanted to talk a bit on the install complexity concerns. Obviously, if you have a background in PHP BASE will be a bit easier to install but I don't think this is a reason to ignore / recommend one product over another. There are numerous docs on Snorby installation, mailing list and a healthy community on irc.freenode / #snorby. If you have issues with installation just ask :) Snorby is also part of security onion so you can get a functional Snorby/Sguil install in less then 10 mins. Anyways, try them all and use what works best for your environment. - Dustin Dustin W. Webber Dustin.Webber () gmail com (913) 375-2798 On Sat, Jan 28, 2012 at 5:46 AM, Heine Lysemose <lysemose () gmail com> wrote:Hi I prefer Snorby. It's far more nice and good looking. And at last it is still in development... Fair enough, it is a bit more complicated to get running at the first place, I've spend a couple of weeks getting things right, but at the end it is all worth it. Also Snorby got a great community for questions and problems. If anyone is interested I got a small text guide for Snorby on Ubuntu 10.04 x86 /Lysemose On Fri, Jan 27, 2012 at 11:58 PM, Joel Esler <jesler () sourcefire com> wrote:I had a question off list the other day about whether we should stop recommending BASE as a GUI from "snort.org"'s perspective. Community? Thoughts? -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jan 27, 2012, at 5:18 PM, "Castle, Shane" <scastle () bouldercounty org> wrote:OTOH BASE is EOL, or at any rate is not being maintained. I actually run BASE myself but I'm getting to hate some of its failings. Snorby and Squil are in my future you can bet. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: Jeremy Hoel [mailto:jthoel () gmail com] Sent: Friday, January 27, 2012 14:31 To: Martin Holste Cc: snort-users () lists sourceforge net; Jagan Mohan Reddy D Subject: Re: [Snort-users] HELP ON SNORT I disagree a bit. BASE is very easy to Setup and use and it gets the analyst up and running and able to look at results very fast. Taking the time to install Snorby or SGUIL later is probably a good idea, but base gets it up and running and you know it's working before you go fighting ruby or tcl. On Fri, Jan 27, 2012 at 9:23 PM, Martin Holste <mcholste () gmail com> wrote:Also, don't use BASE. Use Snorby. On Tue, Jan 24, 2012 at 12:32 PM, Joel Esler <jesler () sourcefire com> wrote:On Tue, Jan 24, 2012 at 1:24 PM, Jagan Mohan Reddy D <jagan.mohan507 () gmail com> wrote:i am looking for snort + BASE on Ubuntu 10.04..... how do i install and configure the BASE with Snort...........?www.snort.org/docsSimilarly, how do i install & configure the SnortSam on Ubuntu as an IPS......?SnortSam is not an IPS, it's a reaction-based system. Aside from that, look into barnyard2 -- Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net Twitter: http://twitter.com/snort ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- HELP ON SNORT Jagan Mohan Reddy D (Jan 24)
- Re: HELP ON SNORT Joel Esler (Jan 24)
- Re: HELP ON SNORT Martin Holste (Jan 27)
- Re: HELP ON SNORT Jeremy Hoel (Jan 27)
- Re: HELP ON SNORT Castle, Shane (Jan 27)
- Re: HELP ON SNORT Joel Esler (Jan 27)
- Re: HELP ON SNORT Heine Lysemose (Jan 28)
- Re: HELP ON SNORT Dustin Webber (Jan 28)
- Re: HELP ON SNORT Martin Holste (Jan 29)
- Re: HELP ON SNORT Joel Esler (Jan 29)
- Re: HELP ON SNORT Dustin Webber (Jan 29)
- Re: HELP ON SNORT Joel Esler (Jan 29)
- Re: HELP ON SNORT Paul Halliday (Jan 30)
- Re: HELP ON SNORT Joel Esler (Jan 30)
- Re: HELP ON SNORT Paul Halliday (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Jefferson, Shawn (Jan 30)
- Re: HELP ON SNORT Lay, James (Jan 30)
- Re: HELP ON SNORT Jeremy Hoel (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT Martin Holste (Jan 27)
- Re: HELP ON SNORT Joel Esler (Jan 24)
- Re: HELP ON SNORT beenph (Jan 29)