Re: BASE and Snorby running together

[Jason Wallace <jason.r.wallace () gmail com>]

I'm really trying to like Snorby, but there are a few things that keep
driving me a way. I haven't used BASE in a while (I'm a recent Sguil
convert), but the things I remember...

1. The search functionality in BASE was far more flexible then in
Snorby. There is no OR in the Snorby search page. When I see an alert
one of the first things I want to know is, what other alerts did the
source or destination produce. In Snorby you can't search for
'src=10.1.1.1 OR dst=10.1.1.1 in the last X amount of time'.

What I would really like to see is a button (like the "copy to
clipboard" one) that will bring up all of the unclassified events with
that IP address as either the src or dst. One click, see them all.

2. Personal annoyance. On the Ascii tab, it displays spaces as dots.
To me any ways, this makes it a little confusing to read.

3. (not in BASE but I'll throw this in for free) If you expand an
alert, and then hotkey-classify it, the UI sends you back to the main
events page. It would be faster, for an analyst, if the UI just
brought up the the next alert, already expanded, in the list. an
option to display either the hex or ascii tab would be great too.

4. Unique IP links. In BASE you could easily get a summary of all the
unique IP to IP events. This made it easy to spot loud offenders.
ex.

src | dst | count

10.1.1.1 -> 1.1.1.1   2
2.2.2.2 -> 10.1.1.2   1
2.2.2.2 -> 10.1.1.3   1

5. Canned info on the main page. Most frequent src or dst, top 5
alerts (great for initial tuning), etc

6. Clickable links to the rule references.

7. Delete alerts.

Just a few off the top of my head.

thx,
wally

On Wed, Feb 22, 2012 at 3:40 PM, Dustin Webber <dustin.webber () gmail com> wrote:
> Just curious.. What are the features that snorby does not have? Last time I
> checked snorby shadowed BASE in every area and then some.
>
> - Dustin
>
> On Feb 22, 2012, at 3:06 PM, Jan Seidl <lists () heavyworks net> wrote:
>
> Shane, have you tried sguil with squert?
>
> On Feb 22, 2012 3:04 PM, "Castle, Shane" <scastle () bouldercounty org> wrote:
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!