Snort mailing list archives

Re: BASE or Snort Report ???

From: "Champ Clark III [Softwink]" <champ () softwink com>
Date: Wed, 5 Jan 2011 11:36:12 -0500

On the topic of vaporware, didn't BASE get dumped some time ago as well?


        Kevin Johnson (the primary lead developer) left the BASE project
last year.  I don't think the project is dead,  but being
"re-implemented".   That's from what I understand....

Two jobs ago I wrote a custom interface using Python/Pylons that had
realtime views and analysis. At my last position I put Snorby in place and
that was a real treat, blew me away with the reports available and
interface. They just released 2.0 which I had been waiting for, but I've
since left that company and I've graduated from dealing with such things.


        Snorby is the bomb.   It lacks a few things we need for our 
enviroments,  but over all... I highly recommend Snorby.

Chose something that will have room to grow and has, at the minimum, a
current set of interested developers. As a few others have pointed out you
might want to consider using plugins for snort to send alerts or using
syslog to deal with alerts, syslog-ng can handle alerts all on its own with
quite a bit of intelligence. I always liked using a notification system
outside of Snort as there are many other things in the admin world that
require attention. I keep them in a central place with a central syslog-ng
or monitoring system.


        Hence,  Sagan (sagan.softwink.com).  It'll not only "e-mail" 
out events,  but take log events that are triggered by the Sagan rule set 
(which,  is incredibly similar to a Snort rule set) and plug them into a
database.  That is,  then your Snort IDS/IPS events will be at a sensor 
ID _and_ your log events will be in another sensor ID (Sagan's).   This way, 
you can use Snorby (or whatever) to generate reports,  view correlated
events,  etc....  Oh,  and e-mail out events in real time if needed :)


-- 
        Champ Clark III | Softwink, Inc | 800-538-9357 x 101
                     http://www.softwink.com

GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7  6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.

Attachment: _bin
Description:

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: BASE or Snort Report ???, (continued)
- - - Re: BASE or Snort Report ??? Joe Pampel (Jan 04)
    - Re: BASE or Snort Report ??? Jefferson, Shawn (Jan 04)
    - Re: BASE or Snort Report ??? Champ Clark III [Softwink] (Jan 04)
    - Re: BASE or Snort Report ??? Tilley, Brad (Jan 05)
    - Re: BASE or Snort Report ??? Martin Holste (Jan 05)
- Re: BASE or Snort Report ??? Paul Halliday (Jan 04)
  - Re: BASE or Snort Report ??? Garland, Ken R (Jan 04)
    - Re: BASE or Snort Report ??? Bamm Visscher (Jan 05)
    - Re: BASE or Snort Report ??? Jun Wan (Jan 06)
    - Re: BASE or Snort Report ??? Crusty Saint (Jan 06)
    - Re: BASE or Snort Report ??? Champ Clark III [Softwink] (Jan 05)
- Re: BASE or Snort Report ??? Gibson, Nathan J. (HSC) (Jan 04)
  - Re: BASE or Snort Report ??? Randal T. Rioux (Jan 04)