Snort mailing list archives
Re: HELP ON SNORT
From: Jeremy Hoel <jthoel () gmail com>
Date: Mon, 30 Jan 2012 15:24:22 -0500
This looks like Squert for Sguil. Visual tools are great. On Mon, Jan 30, 2012 at 3:08 PM, Lay, James <james.lay () wincofoods com> wrote:
-----Original Message----- From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] Sent: Monday, January 30, 2012 12:25 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] HELP ON SNORT My situation is that I we are a small shop and we need tools thatminimize the analyst's time.Fortunately/Unfortunately, BASE is the tool we're using for NIDS eventanalysis, and the reason is that to minimizeanalysis time, we've integrated the tools with other sources ofinformation in our layered defense strategy (andBASE was easy to modify since it is built upon php.) Correlation iskey, IMO, and seems to be missing from most ofthe front-end tools. (Maybe OSSIM does this a bit. Never got itworking properly.)When you see an alert on your NIDS: How do you determine if the endpoint system is vulnerable? How do you determine if the endpoint security software blocked theattempt?How do you determine if the alert was generated from a client request,that may have been blocked by your proxy, orother edge-device? If you have to go to other tools to do any of that, you are wastinganalyst time. Ideally it should all be justthere on the screen without drilling down into anything (a bit moredifficult to do.)I guess we are getting into SIEM territory here... sometimes the SIEMsdon't even do a good job of this though.I'd all but abandoned BASE, but Sagan brought new life to it. Ironically, Snort alerts aren't what I was interested in, but everything BUT snort...firewall hits were especially of interest...sure I can monitor, but trending over time was a question, and Sagan plus BASE really shine in this area. Check out Sagan...it is well worth it. James ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: HELP ON SNORT, (continued)
- Re: HELP ON SNORT Martin Holste (Jan 29)
- Re: HELP ON SNORT Joel Esler (Jan 29)
- Re: HELP ON SNORT Dustin Webber (Jan 29)
- Re: HELP ON SNORT Joel Esler (Jan 29)
- Re: HELP ON SNORT Paul Halliday (Jan 30)
- Re: HELP ON SNORT Joel Esler (Jan 30)
- Re: HELP ON SNORT Paul Halliday (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Jefferson, Shawn (Jan 30)
- Re: HELP ON SNORT Lay, James (Jan 30)
- Re: HELP ON SNORT Jeremy Hoel (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 29)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Martin Holste (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Martin Holste (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT Carney, Megan (Jan 30)