Snort mailing list archives

Re: Distributed Snort

From: Ian Bowers <iggdawg () gmail com>
Date: Fri, 11 May 2012 16:40:07 -0400

Apologies, you're both 100% right.  While I meant "remote session" I'm
still wrong since you can indeed get sguil running on just about any
platform.

On Fri, May 11, 2012 at 2:37 PM, Doug Burks <doug.burks () gmail com> wrote:

Ian,

Thanks for your kind words about Security Onion!

A slight correction.  Sguil doesn't require a VNC session.  You can
install the Sguil client on just about any platform and point it at
the server.  We actually recommend running Security Onion in a VM on
your analyst workstation since this gives you the Sguil client,
Wireshark, NetworkMiner, and a whole slew of other pcap tools for
analysis.

Thanks,
Doug

On Fri, May 11, 2012 at 2:18 PM, Ian Bowers <iggdawg () gmail com> wrote:

I'd like to throw in some support for security onion as well.  It's

pretty

fantastic, and mad easy to set up.  Granted the baseline phase is no
different from any other Snort deployment, so you still get to get your
hands dirty if you're like me and you enjoy that sort of thing.

It was easy to install BASE on as well.   just untar into /var/www and
install a couple packages (php5-adodb or libphp-adodb...  or both...  I

dont

remember) and configure base_conf.php .   and you're up and running.

Eric - I agree there are better tools than BASE for handling events, but

view BASE as a direct portal to the database.  There are no background
daemons that have to collect info or anything, it just says "here's what

got".  And sometimes that's I want.  Snorby is good, but it doesn't suit

the

way I handle IDS.  Sguil is very good, but it requires a VNC session
(although projects like jSguil look promising).  In the case of security
onion sguil is especially handy since it's your easy-access portal to all
the packet captures.  But for a quick check of whats going on, BASE

rocks.

 And I can move to a more legit tool to classify and investigate if I

feel

it's worth looking into.



On Fri, May 11, 2012 at 1:25 PM, Heine Lysemose <lysemose () gmail com>

wrote:


Hi

I could also recommend SecurityOnion, http://securityonion.blogspot.com

 which has this capability by default.
Only thing is that it doesn't have Base but it have Snorby, Squert and
Squil instead.

Give it a try it only takes a few minutes to setup...

/Lysemose

------------------------------------------------------------------------------

Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest

Snort

news!




--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Distributed Snort Adam Orton (May 11)
- Re: Distributed Snort Joel Esler (May 11)
  - Re: Distributed Snort Ian Bowers (May 11)
    - Re: Distributed Snort Adam Orton (May 11)
    - Re: Distributed Snort Heine Lysemose (May 11)
    - Re: Distributed Snort Ian Bowers (May 11)
    - Re: Distributed Snort Jeremy Hoel (May 11)
    - Re: Distributed Snort Joel Esler (May 11)
    - Re: Distributed Snort Doug Burks (May 11)
    - Re: Distributed Snort Ian Bowers (May 11)
- Re: Distributed Snort Eric G (May 11)