Re: Re: About to setup snort

[Bamm Visscher <bamm () satx rr com>]

I suppose this warrants a response 'on list' even though I know you and Rich have communicated privately about your 
concerns with the name.

First off, please understand that I have a dry sense of humor and a tendency to be 'slightly' sarcastic. In truth, the 
ink is completely warn off my </sarcasm> key. With that in mind, here is the history of the name (WARNING: long version 
with useless information follows. If uninterested skip to the bottom and short version).

Sometime in 1999/2000 I started writing my own little interface to snort for my own home/personal use. I named it spreg 
(Snort Personal Realtime Event GUI). Soon after that I took a position to start a managed security monitoring service 
within an established company focused on the gov't who wanted to get into commercial business. I took spreg with me, 
improved up on it, and pretty soon Rich and I had what we felt was a nifty interface that followed our theories on 
Networks Security Monitoring (NSM) and worked extremely well in our organization. During this time, I became a regular 
in #snort. Often times we'd talk theory and I'd leak screen shots of spreg to give others an idea of what we were doing 
in our origanization. I would of liked to share the code at that time, but technically it was now owned by the company 
(I was developing it on its time) and it would of been a support nightmare (originally it was more proof of concept, 
and a look/feel template for our REAL developers to use as they wrote a more robust system for long term use). Then the 
market tanked. Soon after, said company decided that maybe commercial work wasn't so great and they needed to focus on 
their 'core competancy' (ie "you are all fired"). Lucky for me, one of our monitored 'customers' was our parent 
company. They liked what we provided them and they offered to transfer me to corporate to continue monitoring its 
network. I considered the guys in #snort friends and as I related the news, it again brought up the question of the 
spreg code. Could I know open source it? The quick answer was no. Ex-company bundled it with the long term project 
code, tried unsuccessfully to sell it, and shelved it. In the end, we (corporate) could continue to use it, but it 
wasn't 'ours'. Much discussion on #snort occurred and the question of re-writing it on 'my' time arose. My boss 
approved and off I went. The channel #snort-gui was created a few months later I was ready for some of the guys to test 
it out. It proved to be very alpha, but worthwhile project without a name. In order to understand the 'lamerz' part, 
you need to understand that a typicaly day in #snort when something like (my nick is 'qru' and by #snort-regular, I 
mean the contigent of snort users who spend a lot of time in #snort, contribute to the project, but aren't considered 
developers):

****Joins: USER1 has joined #snort
<USER1> I have a question, are there any developers here?
<#snort-regular> They are here, just idle. Ask your question, and maybe one of 
                 us can help
<USER1> Question
<#snort-regular> Answer
-[repeat 10x]-
****Joins: USER12 has joined #snort
<USER12> I have a question, are there any developers here?
<qru> No, just us lamerz. </sarcasm>

-[fast forward to next day]-
<qru> G'morning lamerz.
<#snort-regulars> heh.
-[repeat as needed]-

The gist of the "what do we name it" conversation went something like:

<qru> What do we call this thing?
<geek2> `echo http://www.thesaurus.com->pig`
<qru> ick
<scottder> How about <some word in some language that meant pig>
<qru> I've been calling it 'swine' as 'wine' makes me thing GUI and s == snort
<qru> But I really don't like it.
<geek2||tinsley> How about SGUI - Snort GUI
<qru> Hrm. Kinda like that but it doesn't have that 'snort' name to it 
      like barnyard, oinkmaster, etc.
-[much discussion]-
<qru> How about sguil. Has the GUI in the middle and we can pronounce it
      like 'sgweel' (the sound a pig makes).
<scottder> "Make your pig sgweel".
-[and there was much rejoicing]-
<qru> Okay, so what does the 'L' stand for?
<tinsley> lamerz ;)
<qru> Bwhahahahahaahahahhaah! Snort GUI for Lamerz, That's it!
<geek2> ditto
<scottder> ditto

So that is how we came up with the name. I registered the project on sourceforge and we continued development. Some 
time later, Rich in his infinite wisdom said, "You know, we might want to reconsider the 'lamerz' part. It's not very 
marketable." Of course, I originally scoffed at the idea. This was a project for analyst, by analyst. If someone didn't 
want to use it because of the name, then they obviously aren't worthy </wayne&garth> of using it. Time passes and Sguil 
starts to mature. Rich brings up the name again, this time admitting he's shown it to a couple of high profile security 
types, who liked it a lot but had bad reactions to the name. He was starting to write his book, wanted sguil to be a 
big part of it, but the 'lamerz' had him concerned. He also had an oppurtunity to publish an article in SysAdmin 
Magazine and really wanted us to drop the 'lamerz' as he didn't think it would be received well. In the end, we agreed 
that Rich was right (damn you Rich!!), and after much discussing of what we could change the 'L' to, it was decided 
that we would silently drop the mention of the 'lamerz' and just refer to it as 'sguil'.  What the 'l' meant would just 
be insider information from now on. Obviously I didn't do a very good job of cleanup (the screenshots in the homepage 
were old and still had the 'lamerz' in the titlebar. Doesn't really matter though, thanks to Google, lamerz will always 
be there). 

And that's the rest of the story. Please don't be decieved by the name. Sguil is activately developed by a group of 
professional individuals who use it in real environments. We are not out there to sell you some slick interface that 
accomplishes nothing. We believe in the process of NSM and are trying our best to spread the word. Rich has a kick ass 
book coming out in July (http://www.amazon.com/exec/obidos/ASIN/0321246772/102-7471674-6122508). If you buy into the 
theories he discusses there, then you'll understand better what we have started with sguil.

Almost forgot the short Version: Don't judge a book by its cover.

;)

Bammkkkk



On Fri, May 21, 2004 at 11:48:48AM -0400, Shaun T. Erickson wrote:
> Richard Bejtlich wrote:
>
> > If you get frustrated with ACID, consider
> > Sguil (sguil.sourceforge.net).
>
> It looks interesting, but I can gaurantee you that I won't be running 
> anything that considers it's users to be "lamerz".
>
>       -ste


-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149&alloc_id66&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users