Snort mailing list archives

Re: Distributed Snort


From: Jeremy Hoel <jthoel () gmail com>
Date: Fri, 11 May 2012 18:33:39 +0000

Side Note - Why do you think sguil requires vnc?  I am running the
client on both windows and linux workstations to a server receiving
alerts from 50 sensors.  And the server is a virtual server in another
state.

Base (like was mentioned) is easy to setup and can grow to the point
that queries become to slow.

Sguil is a series of tools/scipts that can give you much more
information about alerts, if they are all running

Snorby is a Ruby tool, like base, that lets you view alerts and
categorize them.  It's getting some support from other add-on tools as
well (openFPC for example).

And Security Onion, while a great tool, is a distro that you live run
or install, and it installs everything.  So if you already have a
working snort and barnyard install, then what you are really looking
for is a better interface and all three above can work, depending on
how you use the alerts.

On Fri, May 11, 2012 at 6:18 PM, Ian Bowers <iggdawg () gmail com> wrote:
I'd like to throw in some support for security onion as well.  It's pretty
fantastic, and mad easy to set up.  Granted the baseline phase is no
different from any other Snort deployment, so you still get to get your
hands dirty if you're like me and you enjoy that sort of thing.

It was easy to install BASE on as well.   just untar into /var/www and
install a couple packages (php5-adodb or libphp-adodb...  or both...  I dont
remember) and configure base_conf.php .   and you're up and running.

Eric - I agree there are better tools than BASE for handling events, but I
view BASE as a direct portal to the database.  There are no background
daemons that have to collect info or anything, it just says "here's what I
got".  And sometimes that's I want.  Snorby is good, but it doesn't suit the
way I handle IDS.  Sguil is very good, but it requires a VNC session
(although projects like jSguil look promising).  In the case of security
onion sguil is especially handy since it's your easy-access portal to all
the packet captures.  But for a quick check of whats going on, BASE rocks.
 And I can move to a more legit tool to classify and investigate if I feel
it's worth looking into.



On Fri, May 11, 2012 at 1:25 PM, Heine Lysemose <lysemose () gmail com> wrote:

Hi

I could also recommend SecurityOnion, http://securityonion.blogspot.com,
 which has this capability by default.
Only thing is that it doesn't have Base but it have Snorby, Squert and
Squil instead.

Give it a try it only takes a few minutes to setup...

/Lysemose



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


Current thread: