Re: BASE and Snorby running together

["Castle, Shane" <scastle () bouldercounty org>]

I'm giving up on the idea of running BASE on SO, now. I guess I was just wistful for the old days.

-- 
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH


-----Original Message-----
From: Dustin Webber [mailto:dustin.webber () gmail com] 
Sent: Wednesday, February 22, 2012 15:58
To: Castle, Shane
Cc: Jason Wallace; security-onion () googlegroups com; Snort-Users
Subject: Re: [Snort-users] BASE and Snorby running together

Shane,

RE: Searching -- This is in the works, pretty easy to add but the design/workflow gets a bit more challenging. Most of 
my time has been spent on Snorby 3.0.0 however, this weekend I'll hack it in.

RE: Timestamps -- Snorby existed before Security Onion. i.e. It was not built just to be included. Why would SO 
enforcing UTC mean Snorby should conform? I do agree it should be a customizable option. (This is pretty low on the 
priority list. SUPER low.. because srsly.. do math)

Just so I fully understand let me go over the facts from your last email.

1. You're not a fan of fixing XSS/SQL inject.
2. You downloaded Security Onion and instead of using Sguil (currently still the best open source IR application) you 
installed a vulnerable php and setup BASE. Since you have personal problems with Snorby.. I would love to hear why BASE 
is better then Sguil.. Please, do tell.

Best Regards,

Dustin


On Feb 22, 2012, at 5:03 PM, Castle, Shane wrote:

> BASE useta have some functions that worked better before the coders decided they needed to protect against SQL/XSS 
> injection. Now I can't enter SQL wildcard expansions ("LIKE %stuff%") in my queries. The search and restricting the 
> results to "unique alerts" (a misnomer but admittedly probably the best wording) capabilities are big shortcomings of 
> Snorby. The ability to do multiple drill-downs based on IP address, the requirement to drill down to the IP address 
> itself before name resolution occurs, and especially the ability to construct detailed searches that can then be used 
> to delete the found alerts (invaluable for tuning and getting rid of multiple FPs) is foremost.
>
> And as mentioned, I am really trying to like it but I'm just not feeling the love :( . Not that I'm getting it much 
> from BASE anymore either.
>
> I have my current BASE screen set up to report on the last 100 "unique alerts", which gets me most of the day's 
> unique listings, and I can quickly drill down to who/what are the most likely suspects. Snorby's display of each and 
> every alert is just a waste of my time paging through screen after screen of junk alerts (at my current level of 
> tuning - really need to get the Snort config'd right).
>
> As I mentioned in my first post, this is using Security Onion, so squert and Sguil are there too. I just don't want 
> to give up all the work and learning that I put into BASE over the years.
>
> And why can't I get 24-hour clock timestamps in Snorby? What's up with that? Who uses AM and PM for that anymore? 
> Since SO wants the entire system to use UTC it makes it tiresome to do mod(12) arithmetic and then offset 7 hours. 
> Yes I know it's a nit but it's a really annoying one.
>
> -- 
> Shane Castle
> Data Security Mgr, Boulder County IT
> CISSP GSEC GCIH
>
>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing 
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!