Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: consensus on BASE

From: "Bamm Visscher" <bamm.visscher () gmail com>
Date: Sat, 27 May 2006 09:31:52 -0600
I expect Drew was commenting more on the suite of tools that Sguil
uses. One of those tools is used to collect full content data.  With
the full content logged,  the analyst has the ability to quickly
retrieve all the logged packets and view [0] the reconstructed
session.

Obviously BASE was never designed to do this. BASE is what I would
call an 'alert browser'. That is not meant to be derogatory, it is
just what it has been designed to do and it can definately fullfill
the needs of many, especially those that adminster the systems and
networks their watching.

Sguil was designed to support network security monitoring [1].  It's
benefit will be seen by those of us who are monitoring large networks
and systems we don't control.

There are other projects that attempt to correlate and prioritize
various events using system logs, firewalls, audit info, etc. OSSIM
[1] is one such project.  Sguil is NOT a SIM [2,3].

Bammkkkk

[0] http://sguil.sourceforge.net/images/0.6/sguil_transcript.png
[1] http://www.taosecurity.com/books.html (TAO of Network Security Monitoring)
[2] http://infosecpotpourri.blogspot.com/2006/01/sguil-is-not-sim.html
[3] http://taosecurity.blogspot.com/2006/01/in-defense-of-david-bianco-id-like-to.html

On 5/27/06, Michael Scheidell <scheidell () secnap net> wrote:

> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of
> Drew Burchett
> Sent: Saturday, May 27, 2006 7:21 AM
> To: snort-users () lists sourceforge net
> Subject: RE: [Snort-users] consensus on BASE
>
> I guess if BASE has one fatal flaw, there's no ability to see
> an IP conversation that triggered an alert.  For example, if
> you see an ATTACK RESPONSE 403 FORBIDDEN alert, there's no
> good way to tell if it was malicious or if some dummy just
> typed in the wrong URL.

Then there is no flaw in BASE, since it only records what snort gave it.
NOTHING can tell you what cause the 403 error unless you also correlate
it to syslogs for the web server.

(which you can do with base if you want to parse syslogs and send them
to base)

I think BASE is great, except for the searching capibilities.  They are
really poor.
That makes it hard to do anything but look at 'top 5' type events.

--
Michael Scheidell, CTO
561-999-5000, ext 1131
SECNAP Network Security Corporation
MediaPro web base privacy and security training:
http://www.secnap.com/events.php?pg=15


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmdlnk&kid7521&bid$8729&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listsnort-users




--
sguil - The Analyst Console for NSM
http://sguil.sf.net


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid7521&bid$8729&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: