Re: snort web interface

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Hi,

I've sent my changes to the maintainers, but it may not be in a form that is readily or easily adapted to the code base.

________________________________
From: Dustin Webber [mailto:dustin.webber () gmail com]
Sent: August 23, 2011 7:16 PM
To: Jefferson, Shawn
Cc: Martin Holste; Snort
Subject: Re: [Snort-users] snort web interface

Shawn,

No reason to say `Unfortunately` - you are doing proper IR. If you contributed to BASE to add this functionality.. 
then.. you know what you are doing.. not much I can say to that.

Dustin W. Webber
Dustin.Webber () gmail com<mailto:Dustin.Webber () gmail com>

On Tue, Aug 23, 2011 at 10:13 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () 
bcferries com>> wrote:
I agree that full packet capture is essential, IMO... and I use both OpenFPC and StreamDB, since they both have their 
strong points and weaknesses.  Everyone should have this setup to really be able to investigate events from IDS.

I also have integration into systems management (ie. Does this alert correlate with vulnerabilities on the box?), and 
also correlation with my endpoint protection system as well.  Unfortunatley, I am currently doing this via BASE and 
some custom code.  I've found this very helpful too, and it makes analysts more efficient.



________________________________
From: Dustin Webber [mailto:dustin.webber () gmail com<mailto:dustin.webber () gmail com>]
Sent: August 23, 2011 6:56 PM
To: Martin Holste
Cc: Snort

Subject: Re: [Snort-users] snort web interface

All,

Very concerned with the comments by James Lay and Adam Wright... Idiotic to say the least... anyways..

Second, I don't think I have ever heard anyone sum up how important full packet capture is then Martin Holste just did 
(since Bam/Richard of course). I'm biases in this decision because I started and maintain snorby but if you decided to 
use another tool please make sure it follows the NSM guidelines. Sguil, snorby, Squert and the upcoming nsmframework 
are your best options for a proper IR/NSM solutions.

Martin, I would like to work with you on getting StreanDB a proper snorby plugin/menu selection.

Dustin W. Webber
Dustin.Webber () gmail com<mailto:Dustin.Webber () gmail com>
(913) 375-2798<tel:%28913%29%20375-2798>
On Tue, Aug 23, 2011 at 9:41 PM, Martin Holste <mcholste () gmail com<mailto:mcholste () gmail com>> wrote:
I agree with Jason:  BASE is dead and clunky, and not all that easy to
install.  If you are looking for a dead simple install with no traffic
integration, then I suggest having Snort (or barnyard) output to
syslog and send it to a personal version of Splunk, which is free.
You can get that up and running in about five minutes.  However,
Snorby is superior and worth putting a few more (but not too many
more) minutes of time because you get the packet integration.  In my
opinion, unless you have access to the traffic you are inspecting with
your IDS in some sort of raw form, you are operating a crippled
installation and have no way to make informed decisions about good or
bad events on the network.

I will also mention that Snorby integrates with my
StreamDB.googlecode.com<http://StreamDB.googlecode.com> project which is OpenFPC compatible, but
several orders of magnitude faster than OpenFPC.  So my recommendation
would be to use Snorby with StreamDB.  Sguil is rock solid, but pcap
retrieval is just too slow for my taste, and so that precludes running
Squert.

On Tue, Aug 23, 2011 at 8:03 PM, Jason Meller <jason.meller () gmail com<mailto:jason.meller () gmail com>> wrote:
> Alexus,
> Full disclosure, I work with Mephux on Snorby but I don't think James or
> Alex correctly or accurately answered your question, so I wanted to throw in
> my $0.02.
>
> BASE is a dead project and hasn't had a new feature pushed since 2008 (3
> years ago). It doesn't plug in with any of the packet capture frameworks out
> there and its interface is disorganized compared to the other available
> front-ends. It's dead, let's move on. Supporting a dead open-source project
> hurts the actively developed efforts out there.
>
> Squert is a bad ass project in active development. One thing James didn't
> mention though is that it requires SQUIL which utilizes an entirely
> different DB schema than the ones provided by the snort/barnyard2 db output
> plugins. SQUIL requires a bit more expertise to get up and running than your
> standard Snort + front-end solution. If you want to go that route Squert is
> a good SGUIL companion.
>
> Snorby is a RECENT development in the community, It was first introduced in
> 2009 and has far surpassed BASE in functionality. I work with Mephux
> developing Snorby and here are some of the reasons I would recommend it to
> anyone:
>
> It's actively developed by two passionate NSM analysts.
> It allows you to pivot on datapoints in the events without interrupting
> analyst's thought process (rule content, related alerts, ip arin/whois data)
> It integrates with OpenFPC and Solera DeepSee products for Full Packet
> Capture.
> It has exportable and beautiful PDF reports and metrics.
>
> The security industry is evolving so rapidly that choosing a dead project
> like BASE for your SOC, MSSP, CIRT, or even personal use is just setting you
> up for failure.
>
> Other people agree with this assessment and that is why the project has been
> accepted into Security Onion Distro and featured on The Change Log.
> Other analysts are excited about Snorby as well. Check out these articles:
>
> http://beboblog.johnbebo.com/2011/08/13/snorby-as-ids.aspx
> http://www.aldeid.com/wiki/An-interesting-forensics-analysis
>
> If you want to check out Snorby check out our live demo at
> http://demo.snorby.org (u: demo () snorby org<mailto:demo () snorby org>, p: snorby)
> If you want to test out Snorby in your environment, check out Insta-Snorby
> (www.snorby.org<http://www.snorby.org>), it's a turn-key Snorby.
> Enjoy the project and please support us!
> Mephux and Terracatta
> On Tue, Aug 23, 2011 at 7:34 PM, James Lay <jlay () slave-tothe-box net<mailto:jlay () slave-tothe-box net>> wrote:
> > On 8/23/11 5:04 PM, "alexus" <alexus () gmail com<mailto:alexus () gmail com>> wrote:
> >
> > > I was wondering what's popular/good web interfaces these days?
> > >
> > > --
> > > http://alexus.org/
> >
> > > > --------------------------------------------------------------------------
> > > ----
> > > EMC VNX: the world's simplest storage, starting under $10K
> > > The only unified storage solution that offers unified management
> > > Up to 160% more powerful than alternatives and 25% more efficient.
> > > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!
> >
> > BASE seems to give the maximum amount of information/reports vs. ease of
> > install.  SQueRT is awesome, but does require a few extra processes
> > running.  Snorby is "ok"...not very good for reports at least in my
> > experience.  For SQueRT and Snorby, it's pretty crucial that you have a
> > tuned snort install since you don't have an easy method to delete entries.
> >
> > James
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > EMC VNX: the world's simplest storage, starting under $10K
> > The only unified storage solution that offers unified management
> > Up to 160% more powerful than alternatives and 25% more efficient.
> > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!
>
>
> ------------------------------------------------------------------------------
> EMC VNX: the world's simplest storage, starting under $10K
> The only unified storage solution that offers unified management
> Up to 160% more powerful than alternatives and 25% more efficient.
> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management
Up to 160% more powerful than alternatives and 25% more efficient.
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!