Snort mailing list archives
Re: HELP ON SNORT
From: Dustin Webber <dustin.webber () gmail com>
Date: Mon, 30 Jan 2012 10:13:56 -0500
@Heine_Lysemose Excellent job on the docs - I will get them added to the snorby wiki. ** Note: Snorby has a lot of docs - Notice the ebook in progress https://github.com/Snorby/snorby/wiki thanks to Brett Cunningham. @elz | 1) What is an archive interface Dustin? I view any application that renders the contents of a database without added features or workflow to be an archive interface. Snorby adds a lot of the NSM classification principals. Snorby is great for viewing alerts but I would encourage people to classify events, promote them to incidents and tune your rule sets (pick your battles). | 2) And what is proper and improper uses of snortby? Improper: Not classifying events and following it from detection to remediation. It is also improper to leave your IDS untuned. If something is noisy and not critical place it in the threshold.conf and move on. (Snorby 2.x.x was heavily inspired by Sguil). Proper: `The Tao of Network Security Monitoring: Beyond Intrusion Detection` - http://www.amazon.com/Tao-Network-Security-Monitoring-Intrusion/dp/0321246772 ---------------- @jeremy_Hoel Could you go into more detail as to why Snorby is more complex/confusing to use the BASE or for beginners? Snorby has always been about simplify, scalability (within reason) and embodying the concepts of Sguil/Richards books. I will be attending NovaHackers tonight. Let's talk more then. @paulh I agree with you on some of the Snorby features but keep in mind you can embrase them (please do) or completely ignore them (it's like BASE minus the ugly, uselessness and horrible workflow i.e no page change to view an events payload etc). Anyway, That's why Snorby should be recommended.. it's super easy to use IMHO (and others.. 80% of the snorby userbase is new to defsec..) The workflow encourages proper/modern NSM ideals and when they start getting the hang of it they can enable the more advanced parts. Also, moving between Snorby and Sguil/Squert should be less of a learning curve. Word, Dustin W. Webber Dustin.Webber () gmail com On Sun, Jan 29, 2012 at 11:20 PM, beenph <beenph () gmail com> wrote:
On Sun, Jan 29, 2012 at 7:38 PM, Dustin Webber <dustin.webber () gmail com> wrote:All, Cliffnotes: Snorby is not an archive interface and can scale very wellwhenused properly. Snorby is using NEW technology and languages. (sorry?)Two quick questions: 1) What is an archive interface Dustin? 2) And what is proper and improper uses of snortby?hhmm, impractical use for large amounts of alerts? Well, Snorby is not an archive interface and it's intend for professionals that tune and knowwhatthey are looking for. I have heard these concerns as well and it always ended up being someone who didn't tune their sensor and had 150k events every 30 minutes. Listen, if someone can figure out how to scale this DB scheme to thatamountof raw data and still build time based metrics.. You should be workingforthe Google R&D team.. Because you obviously figured out and to do quantum storage / processing.The real issue actualy lies elsewhere. The default database schema that people have been relying on for a few years to store and process alert is not in a state where you can even think about performance and this is in process of getting adressed. But even using an improved database schema is not all. UI technology/behavior and DBMS configuration will play a huge role on how things will be able to scale in the end. Deployment of such infrastructure is offent done/suggested by some turorials to coexist on the same system (IDS/Event logger/Database/Web server/UI), which is generaly set to fail in the first place. Technialy you should have dedicated sensors, at least one dedicated database and at least one dedicated web servers. People who are serious to learn will encounter issue at each level and will generaly be able adapt and come up with someting viable for their needs in the end. Anyhow in the next months hopefully the new schema will allow people to scale better. -elz
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: HELP ON SNORT, (continued)
- Re: HELP ON SNORT Joel Esler (Jan 29)
- Re: HELP ON SNORT Paul Halliday (Jan 30)
- Re: HELP ON SNORT Joel Esler (Jan 30)
- Re: HELP ON SNORT Paul Halliday (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Jefferson, Shawn (Jan 30)
- Re: HELP ON SNORT Lay, James (Jan 30)
- Re: HELP ON SNORT Jeremy Hoel (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 29)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Martin Holste (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Martin Holste (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT Carney, Megan (Jan 30)
- Re: HELP ON SNORT Rich Graves (Jan 31)
- Re: HELP ON SNORT Jeremy Hoel (Jan 29)
- Re: HELP ON SNORT Scott Runnels (Jan 29)