Re: consensus on BASE

[Paul Schmehl <pauls () utdallas edu>]

John Newman wrote:
> Is the consensus that BASE is the best web front-end for snort out there
> (and I mean free, open source stuff)?  What are people's experiences
> with sguil (which I realize is not web based).
>
> thanks,
I think Base is probably the most popular open source front-end 
(although I don't have any data to back that up.)  It's certainly easy 
to install and use.  The problem with Base is that it gives you a 
sliding window of your events data, which tends to obscure real-time 
events from view unless they are large enough to draw attention (or you 
just happen to notice them._  So, it's good for summarizing what's going 
on, but not as good for real-time analysis of discrete events.

Sguil is very difficult to install.  It requires quite a bit of 
preparation and installation of ancilliary apps to make it work.  (I'm 
trying to solve that on FreeBSD by developing ports for it that take 
care of all the dependencies.)  That's a consequence of the decision to 
use tcl as the programming language, since it's not commonly installed 
on most platforms.  (It also uses some other apps which are not so 
common; sancp, p0f, tcpdump

Once it's installed and configured (which is also a bit of work and 
requires a clear understanding of what you're doing), it provides a 
completely different, more detailed look at the data, in real time. 
It's easy to pick out events that need immediate followup and drill down 
into packets to see what's really going on.

So, I would say, Base is good for folks new to snort and especially new 
to admining OSes, and sguil is good for folks who clearly understand 
what they're doing and want as much information about events as they can 
get.

--
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature