Snort mailing list archives

Re: HELP ON SNORT

From: beenph <beenph () gmail com>
Date: Mon, 30 Jan 2012 10:32:21 -0500

On Mon, Jan 30, 2012 at 10:13 AM, Dustin Webber <dustin.webber () gmail com> wrote:


@elz

| 1) What is an archive interface Dustin?

I view any application that renders the contents of a database without added
features or workflow to be an archive interface. Snorby adds a lot of the
NSM classification principals. Snorby is great for viewing alerts but I
would encourage people to classify events, promote them to incidents and
tune your rule sets (pick your battles).


I will look into it to see how its handled when i get some freeplay time.

But if what you define as classification only happend on a define set
of data and does not influence
new data and leave the IDS engine untouched , then there is still room
to empower the process i think.

| 2) And what is proper and improper uses of snortby?

Improper: Not classifying events and following it from detection to
remediation. It is also improper to leave your IDS untuned. If something
is noisy and not critical place it in the threshold.conf and move on.
(Snorby 2.x.x was heavily inspired by Sguil).


Ok but this is more IDS specific than Snortby specific where as this
will exist with EVERY interface you have.
If you do not properly configure your IDS you will end up in similar
issue and thats pretty mutch defacto.

And the performance brick wall will allways depend on the type of
ressource you have available to your backend.

-elz

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: HELP ON SNORT, (continued)
- - - Re: HELP ON SNORT Paul Halliday (Jan 30)
    - Re: HELP ON SNORT Joel Esler (Jan 30)
    - Re: HELP ON SNORT Paul Halliday (Jan 30)
    - Re: HELP ON SNORT beenph (Jan 30)
    - Re: HELP ON SNORT Jefferson, Shawn (Jan 30)
    - Re: HELP ON SNORT Lay, James (Jan 30)
    - Re: HELP ON SNORT Jeremy Hoel (Jan 30)
    - Re: HELP ON SNORT Dustin Webber (Jan 30)
    - Re: HELP ON SNORT beenph (Jan 29)
    - Re: HELP ON SNORT Dustin Webber (Jan 30)
    - Re: HELP ON SNORT beenph (Jan 30)
    - Re: HELP ON SNORT Martin Holste (Jan 30)
    - Re: HELP ON SNORT Dustin Webber (Jan 30)
    - Re: HELP ON SNORT beenph (Jan 30)
    - Re: HELP ON SNORT Martin Holste (Jan 30)
    - Re: HELP ON SNORT Dustin Webber (Jan 30)
    - Re: HELP ON SNORT Carney, Megan (Jan 30)
    - Re: HELP ON SNORT Rich Graves (Jan 31)
    - Re: HELP ON SNORT Jeremy Hoel (Jan 29)
    - Re: HELP ON SNORT Scott Runnels (Jan 29)
    - Re: HELP ON SNORT Jeremy Hoel (Jan 29)

(Thread continues...)