Snort mailing list archives
Re: HELP ON SNORT
From: "Lay, James" <james.lay () wincofoods com>
Date: Mon, 30 Jan 2012 13:08:17 -0700
-----Original Message----- From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] Sent: Monday, January 30, 2012 12:25 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] HELP ON SNORT My situation is that I we are a small shop and we need tools that
minimize the analyst's time.
Fortunately/Unfortunately, BASE is the tool we're using for NIDS event
analysis, and the reason is that to minimize
analysis time, we've integrated the tools with other sources of
information in our layered defense strategy (and
BASE was easy to modify since it is built upon php.) Correlation is
key, IMO, and seems to be missing from most of
the front-end tools. (Maybe OSSIM does this a bit. Never got it
working properly.)
When you see an alert on your NIDS: How do you determine if the endpoint system is vulnerable? How do you determine if the endpoint security software blocked the
attempt?
How do you determine if the alert was generated from a client request,
that may have been blocked by your proxy, or
other edge-device? If you have to go to other tools to do any of that, you are wasting
analyst time. Ideally it should all be just
there on the screen without drilling down into anything (a bit more
difficult to do.)
I guess we are getting into SIEM territory here... sometimes the SIEMs
don't even do a good job of this though.
I'd all but abandoned BASE, but Sagan brought new life to it. Ironically, Snort alerts aren't what I was interested in, but everything BUT snort...firewall hits were especially of interest...sure I can monitor, but trending over time was a question, and Sagan plus BASE really shine in this area. Check out Sagan...it is well worth it. James ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: HELP ON SNORT, (continued)
- Re: HELP ON SNORT Dustin Webber (Jan 28)
- Re: HELP ON SNORT Martin Holste (Jan 29)
- Re: HELP ON SNORT Joel Esler (Jan 29)
- Re: HELP ON SNORT Dustin Webber (Jan 29)
- Re: HELP ON SNORT Joel Esler (Jan 29)
- Re: HELP ON SNORT Paul Halliday (Jan 30)
- Re: HELP ON SNORT Joel Esler (Jan 30)
- Re: HELP ON SNORT Paul Halliday (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Jefferson, Shawn (Jan 30)
- Re: HELP ON SNORT Lay, James (Jan 30)
- Re: HELP ON SNORT Jeremy Hoel (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 29)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Martin Holste (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Martin Holste (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)