Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BASE 1.4.x updates?

From: "Randal T. Rioux" <randy () procyonlabs com>
Date: Fri, 18 Feb 2011 16:17:13 -0500
On 2/18/2011 12:34 PM, Jefferson, Shawn wrote:

Hi,

I have hacked in support of StreamDB and OpenFPC into my own BASE
1.4.x (screenshot attached), which simplifies several steps I was
going through when analyzing events.  If anyone is interested, let me
know, and I can post what I've changed and added (it's not pretty,
but it works!)

Is development on BASE 1.4.x now stopped in favor of BASE 2.0?  I've
made several mods to the BASE that I'm using and I'd like to see
these ideas brought into BASE (2.0 for sure, ideally backported to
1.4.5 if 2.0 is still way off):

1. Support for more links on the base_stat_ipaddr page, specifically,
the ability to call a URL with specific parameters (like computer
name, etc..)  I'm using this to link to a systems management product
that gives more detail on the computer in question.

2. Further on this idea, I have changed base_stat_ipaddr to just show
the patch/update information directly from my systems management
product-this is a great time saving feature, as you are looking
through an event, and wonder if that software is even installed on
that asset, or that patch is missing or not.

3. A way to link to a function (that the user would provide) that
takes the CVE from the rule/alert as a parameter, and returns TRUE or
FALSE.  The function could lookup the CVE in a systems management
product (that's what I'm doing), or anything else (Nessus scan
results stored in a file or database).  Use this value to highlight
those alerts where the attack matches the vulnerability.  (Currently
I show these in red to highlight them.)


Dev on 1.x has pretty much stopped, but I can add these changes to the
CVS (in fact, I'd love to). Send the bits to me privately and we'll take
it from there. Perhaps we can squeeze out a new release with this and
some other changes I have.

BASE has new management, but nothing has been started yet.

Thanks!
Randy

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: