![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: general questions
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 29 Mar 2013 14:24:51 -0500
On 3/29/2013 10:40, Mohammad MontazerI wrote:
--------------------------------------------------------------------------------Hello dear all. i had a few questions which some of them has been answered but some is not. 1- which rule manager is better and wherei can download it?
this is speculative at best... we currently use oinkmaster but are looking at pulledpork... they each have their differences of which some are positive and others are negative but this is also related to one's environment and how they want/need to manage their rules... for example, pulledpork has some sort of policy method where you can select balanced, security or a third one for your rules and only those rules with that metadata will be enabled in your rules file... oinkmaster, on the other hand, doesn't know anything about any metadata so all the rules that you have told oinkmaster to use are enabled in your rules files... and there i also named a subtle difference between them, as well... oinkmaster leaves all your rules in their individual rules files... pulledpork merges them all into one huge rules file... i think i read that pulled pork can leave them in their original files but i'm not certain of that... again, it depends on /how/ *you* want to manage your rules... most of out installations are quite happy with oinkmaster and simply adding disablesid, enablesid or modifysid options to an included oinkmaster config file without anything else stepping in the way and doing something else not understood or desired... personally, i'm not aware of any of our systems using any specific policy nor have there been any requests for such... in the worst case, all rules are enabled and are then weeded down to only those that are required for that particular network and/or network segment...
2- is there any software which i can use it to read the log files?(something give more options )
you'll have to be more specific... many of our sites simply use less to browse thru the log files... we also have a page in our GUI that parses the alert file into something a bit more human readable but some important information is still missing (ie: no GID:SID:rev, only the rule's msg)... you have this problem of "missing or cryptic information" with the raw alert file, anyway... this is why there are the references included in the rules and those are then linked to the actual documentation of the reference in those cases where there is any documentation (ie: CVEs)... NOTE: personally i have not looked at any of the existing "consolidation" packages like snorby (first name that came to mind) and others which have all kinds of pretty graphs and output... if we are looking for stats, then we run quite simple greps and similar stats counting methods... nothing fancy and no databases or other storage methods necessary (or desired in our cases)... yes, that means that we work with the raw alert file and the raw pcap files when we need to dig into them... ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: general questions, (continued)
- Re: general questions Mohammad MontazerI (Mar 29)
- Re: general questions Jeremy Hoel (Mar 29)
- Re: general questions Mohammad MontazerI (Mar 29)
- Re: general questions Jeremy Hoel (Mar 29)
- Re: general questions waldo kitty (Mar 29)
- Re: general questions Mohammad MontazerI (Mar 29)
- Re: general questions Jeremy Hoel (Mar 30)
- Re: general questions waldo kitty (Mar 29)
- Re: general questions waldo kitty (Mar 29)
- Re: general questions waldo kitty (Mar 29)
- Re: general questions waldo kitty (Mar 29)