Re: snort web interface

[Jason Wallace <jason.r.wallace () gmail com>]

Alexus,

I don't have a horse in this race, so here is my opinion.

BASE:
While not actively developed, BASE still has a very large user base
(no pun intended). For new users I almost always recommend BASE.

1. It is easy to install and there are a ton of doc's out there on how
to install BASE. I'd hate to see someone loose interest in Snort
solely because they are struggling with installing/managing a
*superior* GUI/console. Most people are familiar with setting up and
administering Apache/MySQL/PHP based applications.

2. If you are new to IDS/IPS in general, BASE is going to give you a
good idea of the types of data you'll be working with. When you start
working with that data it becomes apparent why other *superior*
GUI/consoles are out there.

For someone new to Snort, they are going to have their hands full just
learning about...Snort. It doesn't do any good to increase the
learning curve by throwing in a more complicated GUI/console. BASE,
however, is probably not a good long term solution, due to the
projects inactivity, the lack of support for some of the newer Snort
features and lack of native tie-in support for full packet captures.
It is still an excellent learning tool, and I highly recommend it for
new Snort users.

Snorby:
Long term, Snorby has the most promise and at some point will likely
be the generally accepted GUI/console for working with Snort data and
supporting packet captures. There are some very nice features in
Snorby such as the hotkey feature and the tie-in to OpenFPC. There are
things I do not like about Snorby. I'm not going to list them here
because I have not used the latest version yet and it would be unfair
to state that something was missing/broken if that isn't true of the
current version.

Snorby is based on Ruby. I had zero experience with Ruby before trying
Snorby. This made it difficult for me to get it installed and working
the first time. Keep this in mind if you also do not have a lot of
Ruby experience. That said, a lack of Ruby experience should not
prevent you from trying Snorby at some point. If you do have Ruby
experience, then skipping BASE and moving right to Snorby might work
for you.

Sguil:
I have not used Squil before but it too looks like a beast to install.
That said I know a lot of people who use it and swear by it. I
personally prefer web based applications. That is just me.

Squert:
Like Paul said, Squert is not an analyst console. It looks very cool
and might actually push me to give Squil a try (it requires Squil).


my .02

Wally

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!