Snort mailing list archives

Re: BASE and Snorby running together

From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Wed, 22 Feb 2012 14:42:06 -0700

It's just a way of viewing the data.

Unique Alerts shows a list of alerts triggered, the time and the number of events, drilling down into a particular 
alert, you can then click "Unique IP Links" and get a listing of the unique src-dest IPs.  Typically this is only a 
couple of IP links.

I didn't see this in Snorby on the web demo, at least, not that was immediately obvious.  It looked like a giant list 
of all events (each event a line in the GUI, even though there are the same src to dest IP.)

________________________________
From: Dustin Webber [mailto:dustin.webber () gmail com]
Sent: February 22, 2012 1:08 PM
To: Jefferson, Shawn
Cc: Jan Seidl; security-onion () googlegroups com; snort-users () lists sourceforge net
Subject: Re: [Snort-users] BASE and Snorby running together

Shawn,

Can you elaborate on what you mean by "Unique IP Links" and "Unique Alerts"?

Do you mean unique signatures/rules or does BASE do event correlation now based on event attributes? If not.. then this 
would be the signature listing in snorby.. but either way it's pretty pointless.

Unique IP Links. not sure what this means.. but if you mean unique IP's snorby generates metrics for unique src/dst 
every 30 mins.. every day. Click the pie chart to drill into the events for that address.

Either way, can you explain to me why this information is so critical someone would use Snorby in conjunction with BASE.

- Dustin

Dustin W. Webber
Dustin.Webber () gmail com<mailto:Dustin.Webber () gmail com>
(913) 375-2798

On Wed, Feb 22, 2012 at 3:55 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries 
com>> wrote:
On the demo, I noticed that Snorby didn't seem to have the same functionality as the "Unique IP Links", and "Unique 
Alerts" that BASE has?  Maybe I just missed how to view alerts in that way?


________________________________
From: Dustin Webber [mailto:dustin.webber () gmail com<mailto:dustin.webber () gmail com>]
Sent: February 22, 2012 12:41 PM
To: Jan Seidl
Cc: security-onion () googlegroups com<mailto:security-onion () googlegroups com>; snort-users () lists sourceforge 
net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] BASE and Snorby running together

Just curious.. What are the features that snorby does not have? Last time I checked snorby shadowed BASE in every area 
and then some.

- Dustin

On Feb 22, 2012, at 3:06 PM, Jan Seidl <lists () heavyworks net<mailto:lists () heavyworks net>> wrote:

Shane, have you tried sguil with squert?
On Feb 22, 2012 3:04 PM, "Castle, Shane" <scastle () bouldercounty org<mailto:scastle () bouldercounty org>> wrote:
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

BASE and Snorby running together Castle, Shane (Feb 22)
- Re: BASE and Snorby running together JJC (Feb 22)
- Message not available
  - Re: BASE and Snorby running together Jan Seidl (Feb 22)
    - Re: BASE and Snorby running together Dustin Webber (Feb 22)
    - Re: BASE and Snorby running together Jefferson, Shawn (Feb 22)
    - Re: BASE and Snorby running together Dustin Webber (Feb 22)
    - Re: BASE and Snorby running together Jefferson, Shawn (Feb 22)
    - Re: BASE and Snorby running together Jason Wallace (Feb 22)
    - Re: BASE and Snorby running together Castle, Shane (Feb 22)
    - Re: BASE and Snorby running together Dustin Webber (Feb 22)
    - Re: BASE and Snorby running together Castle, Shane (Feb 22)