Snort mailing list archives
Re: php, base issue
From: Rick Chisholm <chavez243 () gmail com>
Date: Fri, 18 May 2012 13:35:53 -0400
I know exactly what you mean Ron - long time BASE user as well, but I could not keep fighting with it and I don't have the time to pick it up myself and make it work. I agreed BASE seemed to present more info to the analyst, I'm still getting use to Snorby. I'll admit it was a bitch getting Snorby to work in my environment, but I'm content now that it is up. I think the Snorby dev is also very open to suggestions for improvement, so if you want a feature, just ask. On Fri, May 18, 2012 at 1:30 PM, Ron Sinclair <unixfool () gmail com> wrote:
I hear such statements all the time. Would be nice if someone took BASE and revamped (but not whole-hog) it. I've been using BASE for almost 10 years, even after using both Sguil and Snorby. There's something about BASE that Snorby just can't match...just my opinion. I do check Snorby from time to time to assess any new features. Last I checked, it still had a long way to go, so I kept using BASE. Sguil...I don't know, since I never force myself to spend enough time to better utilize it. I usually just get frustrated and wipe it out. BASE seems less maintenance intensive than either Sguil and Snorby. I don't want to have to learn Ruby/Rails to use Snorby. I didn't really have to understand all that much about PHP to begin using BASE, and I already had a good knowledge of MySQL, Snort, and Apache (and a multitude of other things). I'll be using BASE for another 10 years, or until something else (that isn't Sguil or Snorby) is released. If that doesn't happen, I'll go straight to the raw logs and begin using correlation scripts and tools. On Fri, May 18, 2012 at 1:06 PM, Rick Chisholm <chavez243 () gmail com>wrote:Hi Dennis: BASE is getting pretty long in the tooth, does not appear to be actively developed and as PHP advances, is slowly breaking. It is advisable to switch to something like Snorby, Sguil etc. On Fri, May 18, 2012 at 12:37 PM, Dennis Circolone < djcircolone () gmail com> wrote:Hello, I have configured snort-2.9.2.2 on an opensuse 12.1 box, everything is working great except for the portscan traffic stays at 0% after an NMAP test and when I select source ports link or dest ports link I recieve an error.Does anyone know how I can resolve this issue? Basic Analysis and Security Engine (BASE) - Today's alerts: unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1> Source IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> Destination IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> - Last 24 Hours alerts: unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1> Source IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> Destination IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> - Last 72 Hours alerts: unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1> Source IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> Destination IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> - Most recent 15 Alerts: any protocol<http://10.2.7.170/base/base_qry_main.php?new=1&caller=last_any&num_result_rows=-1&submit=Last%20Any> TCP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=TCP&caller=last_tcp&num_result_rows=-1&submit=Last%20TCP> UDP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=UDP&caller=last_udp&num_result_rows=-1&submit=Last%20UDP> ICMP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=ICMP&caller=last_icmp&num_result_rows=-1&submit=Last%20ICMP> - Last Source Ports: any protocol<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=-1&sort_order=last_d> TCP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=6&sort_order=last_d> UDP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=17&sort_order=last_d> - Last Destination Ports: any protocol<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=-1&sort_order=last_d> TCP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=6&sort_order=last_d> UDP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=17&sort_order=last_d> - Most Frequent Source Ports: any protocol<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=-1&sort_order=occur_d> TCP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=6&sort_order=occur_d> UDP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=17&sort_order=occur_d> - Most Frequent Destination Ports: any protocol<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=-1&sort_order=occur_d> TCP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=6&sort_order=occur_d> UDP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=17&sort_order=occur_d> - Most frequent 15 Addresses: Source<http://10.2.7.170/base/base_stat_uaddr.php?caller=most_frequent&addr_type=1&sort_order=occur_d> Destination<http://10.2.7.170/base/base_stat_uaddr.php?caller=most_frequent&addr_type=2&sort_order=occur_d> - Most recent 15 Unique Alerts<http://10.2.7.170/base/base_stat_alerts.php?caller=last_alerts&sort_order=last_d> - Most frequent 5 Unique Alerts<http://10.2.7.170/base/base_stat_alerts.php?caller=most_frequent&sort_order=occur_d> *Queried on *: Fri May 18, 2012 16:34:43 *Database:* snort@localhost (*Schema Version:* 107) *Time Window:* [2012-05-18 11:05:19] - [2012-05-18 11:06:55] *Search <http://10.2.7.170/base/base_qry_main.php?new=1>* *Graph Alert Data <http://10.2.7.170/base/base_graph_main.php>* Graph Alert Detection Time <http://10.2.7.170/base/base_stat_time.php> ------------------------------ *Sensors/Total:* 1 <http://10.2.7.170/base/base_stat_sensor.php> / 2 *Unique Alerts:* 1 <http://10.2.7.170/base/base_stat_alerts.php> *Categories: *1<http://10.2.7.170/base/base_stat_class.php?sort_order=class_a> *Total Number of Alerts:* 48<http://10.2.7.170/base/base_qry_main.php?&num_result_rows=-1&submit=Query+DB¤t_view=-1> - Src IP addrs: 13<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1> - Dest. IP addrs: 1<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2> - Unique IP links 13 <http://10.2.7.170/base/base_stat_iplink.php> - Source Ports: 2<http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=-1> - - TCP ( 0<http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=6>) UDP ( 2<http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=17> ) - Dest Ports: 2<http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=-1> - - TCP ( 0<http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=6>) UDP ( 2<http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=17> ) *Traffic Profile by Protocol* TCP (0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=TCP&num_result_rows=-1&sort_order=time_d&submit=Query+DB> UDP (100%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=UDP&num_result_rows=-1&sort_order=time_d&submit=Query+DB> ICMP (0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=ICMP&num_result_rows=-1&sort_order=time_d&submit=Query+DB> ------------------------------ Portscan Traffic (0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=RawIP&num_result_rows=-1&sort_order=time_d&submit=Query+DB> Basic Analysis and Security Engine (BASE) Home <http://10.2.7.170/base/base_main.php> | Search<http://10.2.7.170/base/base_qry_main.php?new=1> [ Back <http://10.2.7.170/base/base_main.php?back=1&> ] /srv/www/htdocs/base/includes/base_cache.inc.php:556: ERROR: $number_sensors_array is NOT an array! /srv/www/htdocs/base/includes/base_cache.inc.php:564: ERROR: $number_sensors_array is either NULL or empty! *Queried on* : Fri May 18, 2012 16:36:23 Meta Criteria * any * IP Criteria * any * Layer 4 Criteria * none * Payload Criteria * any * *No Alerts were found.* <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=port_a> Port ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=port_d> <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sensor_a> Sensor ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sensor_d> <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=occur_a> Occurrences<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=occur_d><<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=alerts_a> Unique Alerts<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=alerts_d><<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sip_a> Src. Addr. ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sip_d> <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=dip_a> Dest. Addr. ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=dip_d> <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=first_a> First ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=first_d> <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=last_a> Last ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=last_d> ACTION { action }ADD to AG (by ID)ADD to AG (by Name)Create AG (by Name)Delete alert(s)Email alert(s) (full)Email alert(s) (summary)Email alert(s) (csv)Archive alert(s) (copy)Archive alert(s) (move) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Rick Chisholm http://parallel42.ca http://appliedusers.ca ========================= "There is no faith which has never yet been broken, except that of a truly faithful dog." - Konrad Lorenz ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Rick Chisholm http://parallel42.ca http://appliedusers.ca ========================= "There is no faith which has never yet been broken, except that of a truly faithful dog." - Konrad Lorenz
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- php, base issue Dennis Circolone (May 18)
- Re: php, base issue Rick Chisholm (May 18)
- Re: php, base issue Ron Sinclair (May 18)
- Re: php, base issue Rick Chisholm (May 18)
- Re: php, base issue Greg Williams (May 18)
- Re: php, base issue Rick Chisholm (May 18)
- Re: php, base issue Greg Williams (May 18)
- Re: php, base issue Doug Burks (May 18)
- Re: php, base issue Greg Williams (May 18)
- Re: php, base issue Ron Sinclair (May 18)
- Re: php, base issue Rick Chisholm (May 18)