Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HELP ON SNORT

From: beenph <beenph () gmail com>
Date: Mon, 30 Jan 2012 10:33:36 -0500
On Mon, Jan 30, 2012 at 9:54 AM, Paul Halliday <paul.halliday () gmail com> wrote:

On Mon, Jan 30, 2012 at 9:42 AM, Joel Esler <jesler () sourcefire com> wrote:

On Jan 30, 2012, at 7:53 AM, Paul Halliday wrote:

On Sun, Jan 29, 2012 at 8:47 PM, Joel Esler <jesler () sourcefire com> wrote:

On Jan 29, 2012, at 7:38 PM, Dustin Webber <dustin.webber () gmail com> wrote:


I have heard these concerns as well and it always ended up being someone who
didn't tune their sensor and had 150k events every 30 minutes.


Agreed!


So do we just shake our fingers at them and move on?


No.  It starts at my/our level.  We have to make the engine easier to use,
simpler to tune, easier to understand.

...


It involves coordination with open source products to make things easier to
use and tune.  All things on my plate for this year.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


This is a good start, the second part however is quite complicated.
Think of Sguil's mantra: "Written by Analysts, for Analysts". OK, so
we just alienated everyone that isn't an experienced analyst. Snorby
(mantra aside) falls into this group as well.

What I am getting at is we have a huge tool gap. Well, its not even a
gap at all because there is only one side; hence the lack of
accessibility I mentioned earlier.


Here is the way i see it :  Sourcefire/OISF
provide tools which produce a source of
information that is then processable (Unified2/Syslog/Text file/Pcap etc..)

That information can be stored and analysed in many ways.

Person X needs might not be Person Y needs and Person Z

There is a gap betwen using open source tool such as display/Analysis
tool for small to medium setting,
but there is a huge step to bring this into a SIEM Service/plateform
that will scale for high needs environement.

And personally i think thats where the line is. If you are trying to
profit from tools or "save" by using them
you will end up having to use some of your "elbow oil" and probably
dev/customize some tools.

I have a hard time to belive that anything that could be brewed by
multiple group or even the "community"
would still meets the requirement of some speficic settings.

As long as the majority is pleased i think it is enough and i am sure
2012 will bring some joy to some people.

-elz

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: