Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HELP ON SNORT

From: Paul Halliday <paul.halliday () gmail com>
Date: Mon, 30 Jan 2012 10:54:15 -0400
On Mon, Jan 30, 2012 at 9:42 AM, Joel Esler <jesler () sourcefire com> wrote:

On Jan 30, 2012, at 7:53 AM, Paul Halliday wrote:

On Sun, Jan 29, 2012 at 8:47 PM, Joel Esler <jesler () sourcefire com> wrote:

On Jan 29, 2012, at 7:38 PM, Dustin Webber <dustin.webber () gmail com> wrote:


I have heard these concerns as well and it always ended up being someone who
didn't tune their sensor and had 150k events every 30 minutes.


Agreed!


So do we just shake our fingers at them and move on?


No.  It starts at my/our level.  We have to make the engine easier to use,
simpler to tune, easier to understand.

...


It involves coordination with open source products to make things easier to
use and tune.  All things on my plate for this year.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


This is a good start, the second part however is quite complicated.
Think of Sguil's mantra: "Written by Analysts, for Analysts". OK, so
we just alienated everyone that isn't an experienced analyst. Snorby
(mantra aside) falls into this group as well.

What I am getting at is we have a huge tool gap. Well, its not even a
gap at all because there is only one side; hence the lack of
accessibility I mentioned earlier.

How many people have these tools installed and have absolutely no idea
what they do?  Browse Snort,Suricata,Sguil,Snorby, Seconion lists and
you will quickly see that there are many people operating heavy
machinery without a license.

Typical response:

- Well, just comment that out
- Just put a pass rule in there
- a bpf of 10.0.0.0/8 should quiet things, try that

We have so many projects, so many cool things entering and coming out
of the pipe. That said, we also have so much duplicated effort, and
absolutely no incentive to bring it all together and polish it up
enough so that there is inherent value to the not so privileged.

Maybe we have made things more complicated than they need to be? I dunno.

Not even sure where I am going with this now :), shoot with food for thought.

-- 
Paul Halliday
http://www.squertproject.org/

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: