Snort mailing list archives
Re: HELP ON SNORT
From: beenph <beenph () gmail com>
Date: Mon, 30 Jan 2012 10:32:21 -0500
On Mon, Jan 30, 2012 at 10:13 AM, Dustin Webber <dustin.webber () gmail com> wrote:
@elz | 1) What is an archive interface Dustin? I view any application that renders the contents of a database without added features or workflow to be an archive interface. Snorby adds a lot of the NSM classification principals. Snorby is great for viewing alerts but I would encourage people to classify events, promote them to incidents and tune your rule sets (pick your battles).
I will look into it to see how its handled when i get some freeplay time. But if what you define as classification only happend on a define set of data and does not influence new data and leave the IDS engine untouched , then there is still room to empower the process i think.
| 2) And what is proper and improper uses of snortby? Improper: Not classifying events and following it from detection to remediation. It is also improper to leave your IDS untuned. If something is noisy and not critical place it in the threshold.conf and move on. (Snorby 2.x.x was heavily inspired by Sguil).
Ok but this is more IDS specific than Snortby specific where as this will exist with EVERY interface you have. If you do not properly configure your IDS you will end up in similar issue and thats pretty mutch defacto. And the performance brick wall will allways depend on the type of ressource you have available to your backend. -elz ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: HELP ON SNORT, (continued)
- Re: HELP ON SNORT Paul Halliday (Jan 30)
- Re: HELP ON SNORT Joel Esler (Jan 30)
- Re: HELP ON SNORT Paul Halliday (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Jefferson, Shawn (Jan 30)
- Re: HELP ON SNORT Lay, James (Jan 30)
- Re: HELP ON SNORT Jeremy Hoel (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 29)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Martin Holste (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Martin Holste (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT Carney, Megan (Jan 30)
- Re: HELP ON SNORT Rich Graves (Jan 31)
- Re: HELP ON SNORT Jeremy Hoel (Jan 29)
- Re: HELP ON SNORT Scott Runnels (Jan 29)
- Re: HELP ON SNORT Jeremy Hoel (Jan 29)