Advanced Snort analysis

[eslerj at gmail.com (Joel Esler)]

On Fri, Dec 4, 2009 at 9:28 AM, Grymoire <pauldotcom at grymoire.com> wrote:

> Thanks, Rob, for the liveSnort link. Some comments:
>
> * Easy to install
>
> * When you press the Details link, it points to a URL on the snort.org
>  site that no longer exists. Example
>
>                http://www.snort.org/pub-bins/sigs.cgi?sid=46
Yes, the old rule references are gone, we are thinking of a new way to do
this.  In the meantime, all rule documentation is included in the rule pack.
 In the doc/ directory of the rulepack.


> * No visualization. All it seems to be is a web listing of the alerts.
Correct, there aren't many tools that do this <plug> Sourcefire does </plug>


> As for splunk, I'm not interested in log correlation. Not at this
> time.  That comes later. I want to built a proof-of-concept on a
> single machine first.

Splunk allows for easy searching and viewing of Snort alerts, plus you can
get a graph of trending amounts of traffic over time (IIRC).  It works.


> > Not sure what you are looking for here though...
>
>                 Visualization of trends.
>                Categorization of activity over time
>                High level view of general status.
>                Event correlation - by humans looking at graphs for now
>
> In simple terms, I want plots of activity over time, and the abillity
> to categorize these activities. For instance, snort has labels of event
> types. I want a plot of number of events by type over time.


pmgraph will do that for you, if you are looking for simple bar graphs and
what not.

http://www.snort.org/users/jbrvenik/Site/Archives.html



> For example, I'd like to take a set of recorded network trafic, such
> as a CtF event, and feed it in, and be able to get an overview of
> activity. How did the first day's activity differ from the second day?


Many of the old Snort visualization projects are dead.  Unfortunately.


> Munin is a standard package for Ubuntu, and it looked like a good
> starting point. I even saw some documentation on snort plugins, but
> aparently it's based on the old snort statistics stuff.
>
>
> > Correct, we cleaned out a lot of the 3rd party projects that weren't
> > maintained anymore when we redid the site:
> > http://www.snort.org/downloads/additional-downloads/ is what is
> > left.
>
> It would be nice if the 2.8.5.1 contrib/README file had this
> information.  it would also be nice if there was a redirect link of
> the old location to the new location.  I wonder if the snort team
> looks at the web logs for URL gets of missing pages.

I'll see if I can get this fixed for you.

> The Snort-Users mailing list is also available for your reference.
>
> Okay. I think the number of mailing lists I subscribe to is
> approaching 100+. I prefer searching over subscribing, sigh...
> I thought this would be easy, with a FAQ, etc.
> (Thank god for procmail. )

Aren't we all having that problem? ;)



> As for your suggestions...
>
> > Base, Snorby, Sguil..
>
> I installed ACID BASE as part of Ubuntu. My next step is to see how I
> can extend and plot the data on a web page. I had hopes for munin.


I don't know anything about munin.  However, I wish the debian people (and
ubuntu people as a result) -- and yes, I have talked to the debian people,
personally, about this --  It's not "acid_base"  It's called BASE.
base.secureideas.net

Sorry, pet peeve.


I'm also looking at pmgraph.pl and EasyIDS
> And learn more about BASE and ACID.
Forget about ACID.  totally.  It has been updated, in.. 7 years?  BASE is a
good start.  pmgraph is a good start to give you simple graphing based off
of performance stats...

Splunk is good for overall.  mubix++


-- 
Joel Esler | 302-223-5974 | gtalk: jesler at sourcefire.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091204/507d6d04/attachment.htm