Advanced Snort analysis

[pauldotcom at grymoire.com (Grymoire)]

Thanks, Rob, for the liveSnort link. Some comments:

* Easy to install

* When you press the Details link, it points to a URL on the snort.org
  site that no longer exists. Example

                http://www.snort.org/pub-bins/sigs.cgi?sid=46

* No visualization. All it seems to be is a web listing of the alerts.

As for splunk, I'm not interested in log correlation. Not at this
time.  That comes later. I want to built a proof-of-concept on a
single machine first.

> Not sure what you are looking for here though...

                Visualization of trends. 
                Categorization of activity over time
                High level view of general status.
                Event correlation - by humans looking at graphs for now

In simple terms, I want plots of activity over time, and the abillity
to categorize these activities. For instance, snort has labels of event
types. I want a plot of number of events by type over time.

For example, I'd like to take a set of recorded network trafic, such
as a CtF event, and feed it in, and be able to get an overview of
activity. How did the first day's activity differ from the second day?

Munin is a standard package for Ubuntu, and it looked like a good
starting point. I even saw some documentation on snort plugins, but
aparently it's based on the old snort statistics stuff. 


> Correct, we cleaned out a lot of the 3rd party projects that weren't
> maintained anymore when we redid the site:
> http://www.snort.org/downloads/additional-downloads/ is what is
> left.

It would be nice if the 2.8.5.1 contrib/README file had this
information.  it would also be nice if there was a redirect link of
the old location to the new location.  I wonder if the snort team
looks at the web logs for URL gets of missing pages.


> Snort IDS and IPS toolkit is the most recent book.  I think that was
> one was...  2006? 2007?


Thanks, I'll take a look.

> I use text based alerting, but that's not really feasible for an
> unskilled enterprise environment.

Yes. I don't want micromanagement. I want "big picture" information.

> The Snort-Users mailing list is also available for your reference.  

Okay. I think the number of mailing lists I subscribe to is
approaching 100+. I prefer searching over subscribing, sigh...
I thought this would be easy, with a FAQ, etc.
(Thank god for procmail. )

As for your suggestions...

> Base, Snorby, Sguil..

I installed ACID BASE as part of Ubuntu. My next step is to see how I
can extend and plot the data on a web page. I had hopes for munin.

See
https://forums.snort.org/forums/snort-newbies/topics/munin

As for Snorby - that's a front-end for snort. I have snort running and
feeding mysql.  And Squil - I don't see any graphs in the sample
screen shots. So Snorby and Squil don't seem to do what I want.

I'm also looking at pmgraph.pl and EasyIDS
And learn more about BASE and ACID.

- Grymoire