Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BASE and Snorby running together

From: "Castle, Shane" <scastle () bouldercounty org>
Date: Wed, 22 Feb 2012 22:03:19 +0000
BASE useta have some functions that worked better before the coders decided they needed to protect against SQL/XSS 
injection. Now I can't enter SQL wildcard expansions ("LIKE %stuff%") in my queries. The search and restricting the 
results to "unique alerts" (a misnomer but admittedly probably the best wording) capabilities are big shortcomings of 
Snorby. The ability to do multiple drill-downs based on IP address, the requirement to drill down to the IP address 
itself before name resolution occurs, and especially the ability to construct detailed searches that can then be used 
to delete the found alerts (invaluable for tuning and getting rid of multiple FPs) is foremost.

And as mentioned, I am really trying to like it but I'm just not feeling the love :( . Not that I'm getting it much 
from BASE anymore either.

I have my current BASE screen set up to report on the last 100 "unique alerts", which gets me most of the day's unique 
listings, and I can quickly drill down to who/what are the most likely suspects. Snorby's display of each and every 
alert is just a waste of my time paging through screen after screen of junk alerts (at my current level of tuning - 
really need to get the Snort config'd right).

As I mentioned in my first post, this is using Security Onion, so squert and Sguil are there too. I just don't want to 
give up all the work and learning that I put into BASE over the years.

And why can't I get 24-hour clock timestamps in Snorby? What's up with that? Who uses AM and PM for that anymore? Since 
SO wants the entire system to use UTC it makes it tiresome to do mod(12) arithmetic and then offset 7 hours. Yes I know 
it's a nit but it's a really annoying one.

-- 
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH



------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: