Snort mailing list archives
Re: Distributed Snort
From: Ian Bowers <iggdawg () gmail com>
Date: Fri, 11 May 2012 16:40:07 -0400
Apologies, you're both 100% right. While I meant "remote session" I'm still wrong since you can indeed get sguil running on just about any platform. On Fri, May 11, 2012 at 2:37 PM, Doug Burks <doug.burks () gmail com> wrote:
Ian, Thanks for your kind words about Security Onion! A slight correction. Sguil doesn't require a VNC session. You can install the Sguil client on just about any platform and point it at the server. We actually recommend running Security Onion in a VM on your analyst workstation since this gives you the Sguil client, Wireshark, NetworkMiner, and a whole slew of other pcap tools for analysis. Thanks, Doug On Fri, May 11, 2012 at 2:18 PM, Ian Bowers <iggdawg () gmail com> wrote:I'd like to throw in some support for security onion as well. It'sprettyfantastic, and mad easy to set up. Granted the baseline phase is no different from any other Snort deployment, so you still get to get your hands dirty if you're like me and you enjoy that sort of thing. It was easy to install BASE on as well. just untar into /var/www and install a couple packages (php5-adodb or libphp-adodb... or both... Idontremember) and configure base_conf.php . and you're up and running. Eric - I agree there are better tools than BASE for handling events, butIview BASE as a direct portal to the database. There are no background daemons that have to collect info or anything, it just says "here's whatIgot". And sometimes that's I want. Snorby is good, but it doesn't suittheway I handle IDS. Sguil is very good, but it requires a VNC session (although projects like jSguil look promising). In the case of security onion sguil is especially handy since it's your easy-access portal to all the packet captures. But for a quick check of whats going on, BASErocks.And I can move to a more legit tool to classify and investigate if Ifeelit's worth looking into. On Fri, May 11, 2012 at 1:25 PM, Heine Lysemose <lysemose () gmail com>wrote:Hi I could also recommend SecurityOnion, http://securityonion.blogspot.com,which has this capability by default. Only thing is that it doesn't have Base but it have Snorby, Squert and Squil instead. Give it a try it only takes a few minutes to setup... /Lysemose------------------------------------------------------------------------------Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latestSnortnews!-- Doug Burks | http://securityonion.blogspot.com Don't miss SANS SEC503 Intrusion Detection In-Depth in Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members! http://augusta.issa.org/drupal/SANS-Augusta-2012
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Distributed Snort Adam Orton (May 11)
- Re: Distributed Snort Joel Esler (May 11)
- Re: Distributed Snort Ian Bowers (May 11)
- Re: Distributed Snort Adam Orton (May 11)
- Re: Distributed Snort Heine Lysemose (May 11)
- Re: Distributed Snort Ian Bowers (May 11)
- Re: Distributed Snort Jeremy Hoel (May 11)
- Re: Distributed Snort Joel Esler (May 11)
- Re: Distributed Snort Doug Burks (May 11)
- Re: Distributed Snort Ian Bowers (May 11)
- Re: Distributed Snort Ian Bowers (May 11)
- Re: Distributed Snort Joel Esler (May 11)