Snort mailing list archives

Re: php, base issue

From: Doug Burks <doug.burks () gmail com>
Date: Fri, 18 May 2012 14:05:26 -0400

Hi Greg,

We'd be glad to help you troubleshoot any performance issues you're having
with Security Onion over on our mailing list:
http://groups.google.com/group/security-onion

Thanks,
Doug

On Fri, May 18, 2012 at 1:56 PM, Greg Williams <alphawebfx () gmail com> wrote:

I tried it and was a little disappointed in how slow it was running for
me.  I only gave it about 15 minutes, but I was definitely losing more
packets than my custom install.  Maybe it's better now. ~400-500 MBps
sustained.


On Fri, May 18, 2012 at 11:53 AM, Rick Chisholm <chavez243 () gmail com>wrote:

FWIW - you can always take a look at Security Onion - it has a bunch of
Snort front-ends you can play with.

First we had ACID and it went ker-splat, then BASE, which is dying on the
vine. Not sure what the next move is, all I know is that I need a
functional front-end and for right now that's Snorby.


On Fri, May 18, 2012 at 1:46 PM, Greg Williams <alphawebfx () gmail com>wrote:

Well said! I 100% agree. Even though I have alerts forwarding via syslog
to other destinations like Splunk, there is just something about BASE that
trumps everything else.  I've tried many other apps as well including
Snorby and Sguil.



On May 18, 2012, at 11:36 AM, Ron Sinclair <unixfool () gmail com> wrote:

I hear such statements all the time.  Would be nice if someone took BASE
and revamped (but not whole-hog) it.

I've been using BASE for almost 10 years, even after using both Sguil
and Snorby.  There's something about BASE that Snorby just can't
match...just my opinion.  I do check Snorby from time to time to assess any
new features.  Last I checked, it still had a long way to go, so I kept
using BASE.  Sguil...I don't know, since I never force myself to spend
enough time to better utilize it.  I usually just get frustrated and wipe
it out.

BASE seems less maintenance intensive than either Sguil and Snorby.  I
don't want to have to learn Ruby/Rails to use Snorby.  I didn't really have
to understand all that much about PHP to begin using BASE, and I already
had a good knowledge of MySQL, Snort, and Apache (and a multitude of other
things).  I'll be using BASE for another 10 years, or until something else
(that isn't Sguil or Snorby) is released. If that doesn't happen, I'll go
straight to the raw logs and begin using correlation scripts and tools.

On Fri, May 18, 2012 at 1:06 PM, Rick Chisholm <chavez243 () gmail com>wrote:

Hi Dennis:

BASE is getting pretty long in the tooth, does not appear to be
actively developed and as PHP advances, is slowly breaking. It is advisable
to switch to something like Snorby, Sguil etc.

 On Fri, May 18, 2012 at 12:37 PM, Dennis Circolone <
djcircolone () gmail com> wrote:

 Hello,
I have configured snort-2.9.2.2 on an opensuse 12.1 box, everything is
working great except for the portscan traffic stays at 0% after an NMAP
test and when I select source ports link or dest ports link I recieve an
error.Does anyone know how I can resolve this issue?


 Basic Analysis and Security Engine (BASE)

    - Today's alerts: 
unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1>
 Source
IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
 Destination
IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
  -
Last 24 Hours alerts: 
unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1>
 Source
IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
 Destination
IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
  -
Last 72 Hours alerts: 
unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1>
 Source
IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
 Destination
IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
  -
Most recent 15 Alerts: any 
protocol<http://10.2.7.170/base/base_qry_main.php?new=1&caller=last_any&num_result_rows=-1&submit=Last%20Any>
TCP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=TCP&caller=last_tcp&num_result_rows=-1&submit=Last%20TCP>
UDP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=UDP&caller=last_udp&num_result_rows=-1&submit=Last%20UDP>
ICMP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=ICMP&caller=last_icmp&num_result_rows=-1&submit=Last%20ICMP>
 -
Last Source Ports: any 
protocol<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=-1&sort_order=last_d>
TCP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=6&sort_order=last_d>
UDP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=17&sort_order=last_d> -
Last Destination Ports: any 
protocol<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=-1&sort_order=last_d>
TCP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=6&sort_order=last_d>
UDP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=17&sort_order=last_d> -
Most Frequent Source Ports: any 
protocol<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=-1&sort_order=occur_d>
TCP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=6&sort_order=occur_d>
UDP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=17&sort_order=occur_d> -
Most Frequent Destination Ports: any 
protocol<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=-1&sort_order=occur_d>
TCP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=6&sort_order=occur_d>
UDP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=17&sort_order=occur_d> -
Most frequent 15 Addresses: 
Source<http://10.2.7.170/base/base_stat_uaddr.php?caller=most_frequent&addr_type=1&sort_order=occur_d>
Destination<http://10.2.7.170/base/base_stat_uaddr.php?caller=most_frequent&addr_type=2&sort_order=occur_d> -
Most recent 15 Unique Alerts<http://10.2.7.170/base/base_stat_alerts.php?caller=last_alerts&sort_order=last_d> -
Most frequent 5 Unique Alerts<http://10.2.7.170/base/base_stat_alerts.php?caller=most_frequent&sort_order=occur_d>
 *Queried on *: Fri May 18, 2012 16:34:43
*Database:* snort@localhost    (*Schema Version:* 107)
*Time Window:* [2012-05-18 11:05:19] - [2012-05-18 11:06:55]
 *Search <http://10.2.7.170/base/base_qry_main.php?new=1>*
*Graph Alert Data <http://10.2.7.170/base/base_graph_main.php>*
Graph Alert Detection Time <http://10.2.7.170/base/base_stat_time.php>

------------------------------
  *Sensors/Total:* 1 <http://10.2.7.170/base/base_stat_sensor.php> /
2
*Unique Alerts:* 1 <http://10.2.7.170/base/base_stat_alerts.php>
*Categories: *1<http://10.2.7.170/base/base_stat_class.php?sort_order=class_a>
*Total Number of Alerts:* 
48<http://10.2.7.170/base/base_qry_main.php?&num_result_rows=-1&submit=Query+DB&current_view=-1>

   - Src IP addrs: 13<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1>
   - Dest. IP addrs: 1<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2>
   - Unique IP links 13 <http://10.2.7.170/base/base_stat_iplink.php>
   -

   Source Ports: 2<http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=-1>
   -
      - TCP ( 0<http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=6>)  UDP
      ( 2<http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=17>
      )
   - Dest Ports: 2<http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=-1>
   -
      - TCP ( 0<http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=6>)  UDP
      ( 2<http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=17>
      )

*Traffic Profile by Protocol*  TCP 
(0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=TCP&num_result_rows=-1&sort_order=time_d&submit=Query+DB>
   UDP 
(100%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=UDP&num_result_rows=-1&sort_order=time_d&submit=Query+DB>
     ICMP 
(0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=ICMP&num_result_rows=-1&sort_order=time_d&submit=Query+DB>

------------------------------
  Portscan Traffic 
(0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=RawIP&num_result_rows=-1&sort_order=time_d&submit=Query+DB>


  Basic Analysis and Security Engine (BASE)
  Home <http://10.2.7.170/base/base_main.php>  |   Search<http://10.2.7.170/base/base_qry_main.php?new=1>

  [ Back <http://10.2.7.170/base/base_main.php?back=1&;> ]

/srv/www/htdocs/base/includes/base_cache.inc.php:556: ERROR:
$number_sensors_array is NOT an array!


/srv/www/htdocs/base/includes/base_cache.inc.php:564: ERROR:
$number_sensors_array is either NULL or empty!

 *Queried on* : Fri May 18, 2012 16:36:23      Meta Criteria *   any *
   IP Criteria *   any *   Layer 4 Criteria *   none * Payload
Criteria *   any *

*No Alerts were found.*

         <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=port_a>
 Port ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=port_d>
   <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sensor_a>
 Sensor ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sensor_d>
   <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=occur_a>
 Occurrences

<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=occur_d>

   <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=alerts_a>
Unique Alerts

<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=alerts_d>

   <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sip_a>
 Src. Addr. ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sip_d>
   <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=dip_a>
 Dest. Addr.

<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=dip_d>

   <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=first_a>
 First ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=first_d>
   <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=last_a>
 Last ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=last_d>
     ACTION
{ action }ADD to AG (by ID)ADD to AG (by Name)Create AG (by Name)Delete
alert(s)Email alert(s) (full)Email alert(s) (summary)Email alert(s)
(csv)Archive alert(s) (copy)Archive alert(s) (move)



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond.
Discussions
will include endpoint security, mobile security and the latest in
malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




--
Rick Chisholm
http://parallel42.ca
http://appliedusers.ca
=========================
"There is no faith which has never yet been broken, except that of a
truly faithful dog." - Konrad Lorenz


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond.
Discussions
will include endpoint security, mobile security and the latest in
malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond.
Discussions
will include endpoint security, mobile security and the latest in
malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



--
Rick Chisholm
http://parallel42.ca
http://appliedusers.ca
=========================
"There is no faith which has never yet been broken, except that of a
truly faithful dog." - Konrad Lorenz




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




-- 
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

php, base issue Dennis Circolone (May 18)
- Re: php, base issue Rick Chisholm (May 18)
  - Re: php, base issue Ron Sinclair (May 18)
    - Re: php, base issue Rick Chisholm (May 18)
    - Re: php, base issue Greg Williams (May 18)
    - Re: php, base issue Rick Chisholm (May 18)
    - Re: php, base issue Greg Williams (May 18)
    - Re: php, base issue Doug Burks (May 18)
    - Re: php, base issue Greg Williams (May 18)