PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Advanced Snort analysis

From: arch3angel at gmail.com (Robert Miller)
Date: Fri, 04 Dec 2009 13:54:09 -0500
I had OSSIM installed and running for a short while.  It does SOOO much 
more than I needed like NAGIOS which ended up filling my server with log 
files.  I have since talked with the OSSIM group and found out how to 
stop that but due to other projects I was unable to get back to it yet.  
It provides as close to to real time as I have seen aside from the like 
Rob already gave you.

Just like you I was doing a proof of concept and for that it was not 
high on the companies list of things for me to do, but I can say OSSIM 
will be right at the top of the testing when I do get back.  your just 
going to have to tweak it and turn off things you don't need.

Super easy install, find an old PC or Server and give it a shot, worse 
that can happen is you waste a few hours to find that it is not actually 
what you need. :-)

Hope this helps,

- Robert
(arch3angel)

Grymoire wrote:

Thanks, Rob, for the liveSnort link. Some comments:

* Easy to install

* When you press the Details link, it points to a URL on the snort.org
  site that no longer exists. Example

              http://www.snort.org/pub-bins/sigs.cgi?sid=46

* No visualization. All it seems to be is a web listing of the alerts.

As for splunk, I'm not interested in log correlation. Not at this
time.  That comes later. I want to built a proof-of-concept on a
single machine first.

  

Not sure what you are looking for here though...
    


              Visualization of trends. 
              Categorization of activity over time
              High level view of general status.
              Event correlation - by humans looking at graphs for now

In simple terms, I want plots of activity over time, and the abillity
to categorize these activities. For instance, snort has labels of event
types. I want a plot of number of events by type over time.

For example, I'd like to take a set of recorded network trafic, such
as a CtF event, and feed it in, and be able to get an overview of
activity. How did the first day's activity differ from the second day?

Munin is a standard package for Ubuntu, and it looked like a good
starting point. I even saw some documentation on snort plugins, but
aparently it's based on the old snort statistics stuff. 


  

Correct, we cleaned out a lot of the 3rd party projects that weren't
maintained anymore when we redid the site:
http://www.snort.org/downloads/additional-downloads/ is what is
left.
    


It would be nice if the 2.8.5.1 contrib/README file had this
information.  it would also be nice if there was a redirect link of
the old location to the new location.  I wonder if the snort team
looks at the web logs for URL gets of missing pages.


  

Snort IDS and IPS toolkit is the most recent book.  I think that was
one was...  2006? 2007?
    



Thanks, I'll take a look.

  

I use text based alerting, but that's not really feasible for an
unskilled enterprise environment.
    


Yes. I don't want micromanagement. I want "big picture" information.

  

The Snort-Users mailing list is also available for your reference.  
    


Okay. I think the number of mailing lists I subscribe to is
approaching 100+. I prefer searching over subscribing, sigh...
I thought this would be easy, with a FAQ, etc.
(Thank god for procmail. )

As for your suggestions...

  

Base, Snorby, Sguil..
    


I installed ACID BASE as part of Ubuntu. My next step is to see how I
can extend and plot the data on a web page. I had hopes for munin.

See
https://forums.snort.org/forums/snort-newbies/topics/munin

As for Snorby - that's a front-end for snort. I have snort running and
feeding mysql.  And Squil - I don't see any graphs in the sample
screen shots. So Snorby and Squil don't seem to do what I want.

I'm also looking at pmgraph.pl and EasyIDS
And learn more about BASE and ACID.

- Grymoire
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: