Re: There appears to be a bug in Base-1.4.5

[AllowOverride <allowoverride () gmail com>]

free invite, pay later? no thanks... 

On Tue, 2012-10-09 at 19:23 -0400, Dustin Webber wrote:
> Shawn,
>
>
> Yes, the things you listed below have been added. I can agree that
> before these features were added (most notably the uniq events) it was
> a little bit of a pain to navigate. 
>
>
> In snorby (this is in dev but will be pushed to master this weekend)
> each sensor can be configured independently. So if you don't want to
> cluster openFPC or streamDB you can add a different API url to each
> sensor.
>
>
> Good call on locking that box down but in those situations i feel so
> dirty i can't sleep at night. hehe maybe not that extreme but you get
> my point.
>
>
> Anyway, thanks for your feedback and I hope you get a chance to try
> Snorby out again in the future. sign up a cloud.snorby.org and i'll
> give you a beta invite so you can test it and help better the
> software.
>
>
> - Dustin
>
>
> P.S Everyone, Snorby is actively developer - if you want features
> please ask, we are willing to pretty much add anything people request.
>
>
>
>
>
>
> On Oct 9, 2012, at 7:11 PM, "Jefferson, Shawn"
> <Shawn.Jefferson () bcferries com> wrote:
>
> > Hi Dustin,
> >
> > I'd like all alerts to be "rolled up" into one line like BASE does.
> >  I'd like to be able to have the "unique IP links" per SID view like
> > BASE has.  I didn't see that last time I looked at snorby, maybe
> > that is there and I missed it?
> >
> > As far as StreamDB/OpenFPC, can you have both of them at the same
> > time?  The lookup API sounds interesting... I'll have to look into
> > that again.  HIPS is SEP, it's a MSSQL database... (there is a
> > possibility to use Symantec System Center and hook into that.)
> >
> > No, I'd rather use your product-but it didn't fit my requirements at
> > the time, if it does now, that's great!  As far as vulns in BASE,
> > I'm sure there is, but I have it very locked down... I don't let
> > just any computer connect to it-which in my case is an adequate
> > compensating control (among others.)
> >
> >
> >
> > -----Original Message-----
> > From: Dustin Webber [mailto:dustin.webber () gmail com] 
> > Sent: Tuesday, October 09, 2012 3:54 PM
> > To: Jefferson, Shawn
> > Cc: Snort-Users Users
> > Subject: Re: [Snort-users] There appears to be a bug in Base-1.4.5
> >
> > Shawn,
> >
> > What is your "workflow"? I am curious to hear how snorby can't adapt
> > to it. Also, Snorby supports StreaDB and OpenFPC and with the lookup
> > source api in snorby adding CVE queries would be dead simple.
> > Integration with you HIPS is another story since you didn't name the
> > product you use but I bet that likely is already there as well.
> >
> > If I understood you correctly you are willing to jump start a dead
> > project (mad vulns exist in the code base still un-patched) then
> > commit to a new actively developer project? I'm not sure I
> > understand the logic in this, can you explain more?
> >
> > - Dustin
> >
> > On Oct 9, 2012, at 6:43 PM, "Jefferson, Shawn"
> > <Shawn.Jefferson () bcferries com> wrote:
> >
> > > Who is officially the "maintainer" of BASE now?  Is BASE 2.x still
> > > being worked on?
> > >
> > > Personally I like BASE 1.4.5, and have added a few features to my
> > > version of it that improves the analyst experience (IMO, and in my
> > > network).  I've seen the messages about it being dead, and I've
> > > been thinking someone should take it over... (maybe even me,
> > > although I'm not a developer by trade, I can hack around in php...
> > > someone else would be better, but no one seems to be stepping up
> > > to the plate?)  Some support is better than no support I guess?
> > >
> > > Snorby is probably a better option, but at the moment, the
> > > "workflow" 
> > > in Snorby doesn't match my needs (and the fact I've made
> > > modifications 
> > > to add CVE lookup to patch management, StreamDB and OpenFPC
> > > lookup, 
> > > and also correlation with my HIPS product.)
> > >
> > >
> > > -----Original Message-----
> > > From: Castle, Shane [mailto:scastle () bouldercounty org]
> > > Sent: Tuesday, October 09, 2012 1:23 PM
> > > To: snort-users
> > > Subject: Re: [Snort-users] There appears to be a bug in Base-1.4.5
> > >
> > > Actually, there are lots of bugs in BASE-1.4.5. And, the answer
> > > seems to be: nobody. You can go to the web site
> > > (http://base.secureideas.net/) and add your bug report to those
> > > already there (Under Support/Bug reporting) but it's not really
> > > going to be seen by anyone useful, and nothing will come of it.
> > >
> > > Yes, we might as well face it: BASE is dead. It was pretty good
> > > while it lasted, and I used it right up until I took the Security
> > > Onion pledge. Now my primary tool is the Sguil client and I rarely
> > > use Snorby (sorry, Dustin - I just don't like it).
> > >
> > > (Removed snort-team from CC list - they have zero interest in BASE
> > > and 
> > > this is just noise to them.)
> > >
> > > --
> > > Shane Castle
> > > Data Security Mgr, Boulder County IT
> > >
> > >
> > > ----------------------------------------------------------------------
> > > -------- Don't let slow site performance ruin your business.
> > > Deploy 
> > > New Relic APM Deploy New Relic app performance management and
> > > know 
> > > exactly what is happening inside your Ruby, Python, PHP, Java,
> > > and 
> > > .NET app Try New Relic at no cost today and get our sweet Data
> > > Nerd 
> > > shirt too!
> > > http://p.sf.net/sfu/newrelic-dev2dev
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the
> > > latest Snort news!
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
> this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay 
> current on all the latest Snort news!


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!