Re: What makes a complete IDS package?

[Martin Holste <mcholste () gmail com>]

You're already set with PulledPork for rule management.  Don't forget
to do your tuning through disable_sids.conf.  I have Snort/Suricata
log to syslog and deal with alerts from my custom SIEM, but if I
didn't, I'd be using something like Snorby for my web front-end.  I
then use StreamDB (code.google.com/p/streamdb/) to handle
investigating alerts as it will immediately spit out the URL and fully
decoded page content from the alert connection you give it, and it
will integrate with Snorby in place of OpenFPC.  This saves a lot of
time over SGUIL or daemonlogger on a busy connection.  However, I'd
still recommend that you run daemonlogger or SANCP alongside in that
rare case you want to inspect low-level packet data.

On Sat, Mar 19, 2011 at 9:09 AM, Joel Esler <jesler () sourcefire com> wrote:
> I don't.  No.  I have those set to block in the IPS.
>
> On Mar 19, 2011, at 9:58 AM, James Lay wrote:
>
> I review my events on the command line.  I don't use a DB or whatever.  I've
> tuned the hell out of my Snort installation, so that when it alerts, I need
> to deal with something.
> Joel
>
> Joel,
> So….do you nuke out the "possible" rules?  Or the "likely hostile" rules?  I
> spend a fair amount of time tracking down obfuscated javascript and
> javascript in pdf type alerts…most are non-malicious, but some turn out to
> be bad…curious on just how much you've tuned my friend ;)
> James
> ------------------------------------------------------------------------------
> Colocation vs. Managed Hosting
> A question and answer guide to determining the best fit
> for your organization - today and in the future.
> http://p.sf.net/sfu/internap-sfd2d_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Joel Esler
> jesler () sourcefire.com
> http://blog.snort.org && http://blog.clamav.net
> Twitter: @snort
>
> ------------------------------------------------------------------------------
> Colocation vs. Managed Hosting
> A question and answer guide to determining the best fit
> for your organization - today and in the future.
> http://p.sf.net/sfu/internap-sfd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users