Snort mailing list archives

Re: HELP ON SNORT

From: "Lay, James" <james.lay () wincofoods com>
Date: Mon, 30 Jan 2012 13:08:17 -0700

-----Original Message-----
From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com]
Sent: Monday, January 30, 2012 12:25 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] HELP ON SNORT

My situation is that I we are a small shop and we need tools that

minimize the analyst's time.

Fortunately/Unfortunately, BASE is the tool we're using for NIDS event

analysis, and the reason is that to minimize

analysis time, we've integrated the tools with other sources of

information in our layered defense strategy (and

BASE was easy to modify since it is built upon php.)  Correlation is

key, IMO, and seems to be missing from most of

the front-end tools.  (Maybe OSSIM does this a bit.  Never got it

working properly.)


When you see an alert on your NIDS:

How do you determine if the endpoint system is vulnerable?
How do you determine if the endpoint security software blocked the

attempt?

How do you determine if the alert was generated from a client request,

that may have been blocked by your proxy, or

other edge-device?

If you have to go to other tools to do any of that, you are wasting

analyst time.  Ideally it should all be just

there on the screen without drilling down into anything (a bit more

difficult to do.)


I guess we are getting into SIEM territory here... sometimes the SIEMs

don't even do a good job of this though.


I'd all but abandoned BASE, but Sagan brought new life to it.
Ironically, Snort alerts aren't what I was interested in, but everything
BUT snort...firewall hits were especially of interest...sure I can
monitor, but trending over time was a question, and Sagan plus BASE
really shine in this area.  Check out Sagan...it is well worth it.

James

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: HELP ON SNORT, (continued)
- - - Re: HELP ON SNORT Dustin Webber (Jan 28)
    - Re: HELP ON SNORT Martin Holste (Jan 29)
    - Re: HELP ON SNORT Joel Esler (Jan 29)
    - Re: HELP ON SNORT Dustin Webber (Jan 29)
    - Re: HELP ON SNORT Joel Esler (Jan 29)
    - Re: HELP ON SNORT Paul Halliday (Jan 30)
    - Re: HELP ON SNORT Joel Esler (Jan 30)
    - Re: HELP ON SNORT Paul Halliday (Jan 30)
    - Re: HELP ON SNORT beenph (Jan 30)
    - Re: HELP ON SNORT Jefferson, Shawn (Jan 30)
    - Re: HELP ON SNORT Lay, James (Jan 30)
    - Re: HELP ON SNORT Jeremy Hoel (Jan 30)
    - Re: HELP ON SNORT Dustin Webber (Jan 30)
    - Re: HELP ON SNORT beenph (Jan 29)
    - Re: HELP ON SNORT Dustin Webber (Jan 30)
    - Re: HELP ON SNORT beenph (Jan 30)
    - Re: HELP ON SNORT Martin Holste (Jan 30)
    - Re: HELP ON SNORT Dustin Webber (Jan 30)
    - Re: HELP ON SNORT beenph (Jan 30)
    - Re: HELP ON SNORT Martin Holste (Jan 30)
    - Re: HELP ON SNORT Dustin Webber (Jan 30)

(Thread continues...)