Snort mailing list archives
Re: Distributed Snort
From: Jeremy Hoel <jthoel () gmail com>
Date: Fri, 11 May 2012 18:33:39 +0000
Side Note - Why do you think sguil requires vnc? I am running the client on both windows and linux workstations to a server receiving alerts from 50 sensors. And the server is a virtual server in another state. Base (like was mentioned) is easy to setup and can grow to the point that queries become to slow. Sguil is a series of tools/scipts that can give you much more information about alerts, if they are all running Snorby is a Ruby tool, like base, that lets you view alerts and categorize them. It's getting some support from other add-on tools as well (openFPC for example). And Security Onion, while a great tool, is a distro that you live run or install, and it installs everything. So if you already have a working snort and barnyard install, then what you are really looking for is a better interface and all three above can work, depending on how you use the alerts. On Fri, May 11, 2012 at 6:18 PM, Ian Bowers <iggdawg () gmail com> wrote:
I'd like to throw in some support for security onion as well. It's pretty fantastic, and mad easy to set up. Granted the baseline phase is no different from any other Snort deployment, so you still get to get your hands dirty if you're like me and you enjoy that sort of thing. It was easy to install BASE on as well. just untar into /var/www and install a couple packages (php5-adodb or libphp-adodb... or both... I dont remember) and configure base_conf.php . and you're up and running. Eric - I agree there are better tools than BASE for handling events, but I view BASE as a direct portal to the database. There are no background daemons that have to collect info or anything, it just says "here's what I got". And sometimes that's I want. Snorby is good, but it doesn't suit the way I handle IDS. Sguil is very good, but it requires a VNC session (although projects like jSguil look promising). In the case of security onion sguil is especially handy since it's your easy-access portal to all the packet captures. But for a quick check of whats going on, BASE rocks. And I can move to a more legit tool to classify and investigate if I feel it's worth looking into. On Fri, May 11, 2012 at 1:25 PM, Heine Lysemose <lysemose () gmail com> wrote:Hi I could also recommend SecurityOnion, http://securityonion.blogspot.com, which has this capability by default. Only thing is that it doesn't have Base but it have Snorby, Squert and Squil instead. Give it a try it only takes a few minutes to setup... /Lysemose------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Distributed Snort Adam Orton (May 11)
- Re: Distributed Snort Joel Esler (May 11)
- Re: Distributed Snort Ian Bowers (May 11)
- Re: Distributed Snort Adam Orton (May 11)
- Re: Distributed Snort Heine Lysemose (May 11)
- Re: Distributed Snort Ian Bowers (May 11)
- Re: Distributed Snort Jeremy Hoel (May 11)
- Re: Distributed Snort Joel Esler (May 11)
- Re: Distributed Snort Doug Burks (May 11)
- Re: Distributed Snort Ian Bowers (May 11)
- Re: Distributed Snort Ian Bowers (May 11)
- Re: Distributed Snort Joel Esler (May 11)