Snort mailing list archives
Re: BASE and Snorby running together
From: Dustin Webber <dustin.webber () gmail com>
Date: Wed, 22 Feb 2012 17:57:45 -0500
Shane, RE: Searching -- This is in the works, pretty easy to add but the design/workflow gets a bit more challenging. Most of my time has been spent on Snorby 3.0.0 however, this weekend I'll hack it in. RE: Timestamps -- Snorby existed before Security Onion. i.e. It was not built just to be included. Why would SO enforcing UTC mean Snorby should conform? I do agree it should be a customizable option. (This is pretty low on the priority list. SUPER low.. because srsly.. do math) Just so I fully understand let me go over the facts from your last email. 1. You're not a fan of fixing XSS/SQL inject. 2. You downloaded Security Onion and instead of using Sguil (currently still the best open source IR application) you installed a vulnerable php and setup BASE. Since you have personal problems with Snorby.. I would love to hear why BASE is better then Sguil.. Please, do tell. Best Regards, Dustin On Feb 22, 2012, at 5:03 PM, Castle, Shane wrote:
BASE useta have some functions that worked better before the coders decided they needed to protect against SQL/XSS injection. Now I can't enter SQL wildcard expansions ("LIKE %stuff%") in my queries. The search and restricting the results to "unique alerts" (a misnomer but admittedly probably the best wording) capabilities are big shortcomings of Snorby. The ability to do multiple drill-downs based on IP address, the requirement to drill down to the IP address itself before name resolution occurs, and especially the ability to construct detailed searches that can then be used to delete the found alerts (invaluable for tuning and getting rid of multiple FPs) is foremost. And as mentioned, I am really trying to like it but I'm just not feeling the love :( . Not that I'm getting it much from BASE anymore either. I have my current BASE screen set up to report on the last 100 "unique alerts", which gets me most of the day's unique listings, and I can quickly drill down to who/what are the most likely suspects. Snorby's display of each and every alert is just a waste of my time paging through screen after screen of junk alerts (at my current level of tuning - really need to get the Snort config'd right). As I mentioned in my first post, this is using Security Onion, so squert and Sguil are there too. I just don't want to give up all the work and learning that I put into BASE over the years. And why can't I get 24-hour clock timestamps in Snorby? What's up with that? Who uses AM and PM for that anymore? Since SO wants the entire system to use UTC it makes it tiresome to do mod(12) arithmetic and then offset 7 hours. Yes I know it's a nit but it's a really annoying one. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- BASE and Snorby running together Castle, Shane (Feb 22)
- Re: BASE and Snorby running together JJC (Feb 22)
- Message not available
- Re: BASE and Snorby running together Jan Seidl (Feb 22)
- Re: BASE and Snorby running together Dustin Webber (Feb 22)
- Re: BASE and Snorby running together Jefferson, Shawn (Feb 22)
- Re: BASE and Snorby running together Dustin Webber (Feb 22)
- Re: BASE and Snorby running together Jefferson, Shawn (Feb 22)
- Re: BASE and Snorby running together Jan Seidl (Feb 22)
- Re: BASE and Snorby running together Jason Wallace (Feb 22)
- Re: BASE and Snorby running together Castle, Shane (Feb 22)
- Re: BASE and Snorby running together Dustin Webber (Feb 22)
- Re: BASE and Snorby running together Castle, Shane (Feb 22)