Snort mailing list archives
Re: HELP ON SNORT
From: Heine Lysemose <lysemose () gmail com>
Date: Mon, 30 Jan 2012 08:30:17 +0100
Hi Here is my input for a Snorby install on Ubuntu. In my environment I have tried to split the the sensors and the DB/Snorby. Some of the components might be in a newer version than stated here but I haven't tried them. Text in brackets is either notes or output from the command line. Tabbed text is edited text in the files getting edited. /Lysemose On Mon, Jan 30, 2012 at 5:49 AM, Jeremy Hoel <jthoel () gmail com> wrote:
I will be there Monday, so it would be great to meet him. And I do plan on testing the newer Snorby on the install. And yeah, I get that it can be installed and not run as a LiveCD, but your Organization still has to support the base OS. So if it's Ubuntu you might have an issue with some of the DoD types as they are all pro RedHat/Cent. Then there's the update scripts, security checks, etc. It's not that it can't be done, it's just that it's not the right tool for that option. I know it's worked great for you and I think it's a fantastic learning tool. A lot of people talk very highly about it. But since the question was about simple interfaces for snort.. wouldn't the idea that you install sort yourself, get it working, then you install the console. So you need a console that is somewhat easy to install and that would work in most places. I haven't tried Snorby or Sguil on FreeBSD or on Windows.. but I know Base works on damn near every platform.. that's why I always recommend people start there to learn. To understand the process and see alerts, how tweaks work and what the IDS is doing.. then if they want to get pretty and move on.. help them make a choice that works for what they want. On Sun, Jan 29, 2012 at 11:38 PM, Scott Runnels <srunnels () gmail com> wrote:Jeremy, I just want to point out that Security Onion isn't designed to be run asalive CD. It can be booted as a live CD for testing/exploration, but Doug Burks designed it as a next->next->finish install process then a quicksetupprocess to get the analyst looking at alerts immediately as well as give them a comprehensive suite of tools. I have it running in production on ESXi, bare metal installs, and various desktop VM solutions (VMWareFusion,VirtualBox, etc). You and I have had this discussion to an extent at NovaHackers and itsoundslike I might have been unclear when I gave my presentation on it inJanuary(I was nervous, man!). However, Doug is going to be at ICF andpresentingfor the NovaHackers Shmoocon Epilogue and if you still think it falls outside of what the DOD/FED will allow, I know he'd be interested to hear what we can do to make sure it fits into that space. v/r Scott Runnels p.s. See you Monday! On Sun, Jan 29, 2012 at 11:18 PM, Jeremy Hoel <jthoel () gmail com> wrote:I think there's a number of things here though.. not just which tool to promote. For example - in a DOD/FED location you can't just use a live CD and run your NSM off that. So while using Security Onion is great to learn and test, it' isn't the be-all end-all to those people that have a problem installing software (and it's always the answer I get when I had a question - just use Security Onion). You really should be able to install the tools and the OS yourself and lock them down to various security guidelines and know how the parts fit together, not just boot a cd and make that work without looking at it. BASE (as outdated as as it is) is the simplest to get up and running, to make sure things work and to have someone use as a quick console until they want to learn more. Then you can go the Ruby/Snorby route or use TCL/Sguil. I think Sguil is a great tool overall for the extra things you get ( Connection tracking, transcripts, archiving, etc) and While snorby is pretty.. at least look, it didn't have an Archive piece (this is important) and yes, it can use OpenFPC for data, those bits didn't seem to gel all the time. And I haven't tested any of the connection tracking bits. We have 40+ sensors.. that worked fine in Base, though the DB was slow for some queries.. with Sguil is fantastic, once you get all the moving parts installed. Luckily most of those parts are common and stable and a bit older so they work well. I've gotten Snorby up on CentOS but it takes a bit of work. It's not that it can't be done, but it's not a fluid. It's very visual but it's not that simple and for someone trying to see how snort and works rule, Base is the easiest way to get there. On Sun, Jan 29, 2012 at 2:00 PM, Joel Esler <jesler () sourcefire com>wrote:I've heard a lot of replies both on and off list in both directions. We try not to "endorse" a certain product over another unless it has a functionality that we depend on (hence why we recommend PulledPork and barnyard2). However, if a project is dead (not actively developed and has reduced functionality) I don't mind not recommending it. I've written the current BASE management in the past about missing functionality and have received 0 response. Dustin (Snorby) has always been responsive to me and the community. The naysayers for Snorby complain about it's difficulty in set up and it's impractical use for large amounts of alerts. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jan 29, 2012, at 11:37 AM, Martin Holste <mcholste () gmail com>wrote:The reasons that BASE should no longer are recommended are: 1. It is end-of-life. Dead. 2. There are many, many more but #1 is all you need. As pointed out by others, if you really want the least amount of hassle, go with SecurityOnion. You cannot find a better return on your security time investment anywhere. A few clicks and you have a fully-functional, well-managed IDS and console and an active support community. I'd wager that most people could get the entire IDS and console installed from bare metal in less time than it takes to install BASE. On Sat, Jan 28, 2012 at 11:28 AM, Dustin Webber <dustin.webber () gmail com> wrote: All, I just wanted to talk a bit on the install complexity concerns. Obviously, if you have a background in PHP BASE will be abiteasier to install but I don't think this is a reason to ignore / recommend one product over another. There are numerous docs on Snorby installation, mailing list and a healthy community on irc.freenode / #snorby. If you have issues with installation just ask :) Snorby is also partofsecurity onion so you can get a functional Snorby/Sguil install inlessthen 10 mins. Anyways, try them all and use what works best for your environment. - Dustin Dustin W. Webber Dustin.Webber () gmail com (913) 375-2798 On Sat, Jan 28, 2012 at 5:46 AM, Heine Lysemose <lysemose () gmail com> wrote: Hi I prefer Snorby. It's far more nice and good looking. And at last itisstill in development... Fair enough, it is a bit more complicated to get running at the first place, I've spend a couple of weeks getting things right, but at theendit is all worth it. Also Snorby got a great community for questions and problems. If anyone is interested I got a small text guide for Snorby on Ubuntu 10.04 x86 /Lysemose On Fri, Jan 27, 2012 at 11:58 PM, Joel Esler <jesler () sourcefire com> wrote: I had a question off list the other day about whether we should stop recommending BASE as a GUI from "snort.org"'s perspective. Community? Thoughts? -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jan 27, 2012, at 5:18 PM, "Castle, Shane" <scastle () bouldercounty org>wrote: OTOH BASE is EOL, or at any rate is not being maintained. I actually run BASE myself but I'm getting to hate some of its failings. SnorbyandSquil are in my future you can bet. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: Jeremy Hoel [mailto:jthoel () gmail com] Sent: Friday, January 27, 2012 14:31 To: Martin Holste Cc: snort-users () lists sourceforge net; Jagan Mohan Reddy D Subject: Re: [Snort-users] HELP ON SNORT I disagree a bit. BASE is very easy to Setup and use and it gets the analyst up and running and able to look at results very fast. Taking the time to install Snorby or SGUIL later is probably a good idea, but base gets it up and running and you know it's working before you go fighting ruby or tcl. On Fri, Jan 27, 2012 at 9:23 PM, Martin Holste <mcholste () gmail com> wrote: Also, don't use BASE. Use Snorby. On Tue, Jan 24, 2012 at 12:32 PM, Joel Esler <jesler () sourcefire com> wrote: On Tue, Jan 24, 2012 at 1:24 PM, Jagan Mohan Reddy D <jagan.mohan507 () gmail com> wrote: i am looking for snort + BASE on Ubuntu 10.04..... how do i install and configure the BASE with Snort...........? www.snort.org/docs Similarly, how do i install & configure the SnortSam on Ubuntu as an IPS......? SnortSam is not an IPS, it's a reaction-based system. Aside from that, look into barnyard2 -- Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net Twitter: http://twitter.com/snort------------------------------------------------------------------------------Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoftdevelopersis just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoftdevelopersis just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoftdevelopersis just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3,MVC3,Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoftdevelopersis just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3,MVC3,Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoftdevelopersis just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3,MVC3,Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoftdevelopersis just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3,MVC3,Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoftdevelopersis just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3,MVC3,Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latestSnortnews!-- Scott Runnels------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
Ruby 1.9.2, Rails 3.0.5 and Snorby.txt
Description:
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: HELP ON SNORT, (continued)
- Re: HELP ON SNORT Martin Holste (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Martin Holste (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT Carney, Megan (Jan 30)
- Re: HELP ON SNORT Rich Graves (Jan 31)
- Re: HELP ON SNORT Jeremy Hoel (Jan 29)
- Re: HELP ON SNORT Scott Runnels (Jan 29)
- Re: HELP ON SNORT Jeremy Hoel (Jan 29)
- Re: HELP ON SNORT Heine Lysemose (Jan 29)
- Re: HELP ON SNORT Eric G (Jan 31)
- Re: HELP ON SNORT Kimi Ushida (Jan 30)
- Re: help on snort Jefferson Diego Gomes Rosa (Feb 03)
- Re: help on snort Joel Esler (Mar 04)