Re: Where's Waldo?

[AllowOverride <allowoverride () gmail com>]

yep, i agree, i like base(still do) used it for years out of the box,
pretty looking too.

however, the more chunks of meat(barnyard2) you throw into the stew,
well, you are going to need add more seasoning to be back it's original
flavor.

if someone can pick up this dead dog, i'd like to shake their hand :)

i can see how barnyard2 and unified2 is needed, but for small office and
catching bank robbers, well, its good enough as long as you back up data
elsewhere..


On Thu, 2012-10-11 at 22:47 +0000, Castle, Shane wrote:
> I wrote and discarded one reply to this. The first one started out dissing BASE a lot (I was upset with it toward the 
> end), and I realized it was unfair. Here's another try.
>
> You may be right. It still can work, as long as you can put up with its quirks, and are willing to tweak the code a 
> bit. After all, for us, it helped put someone in jail. And yes, there needs to be an IDS learning stage before 
> jumping in the deep end of NSM, and setting up Snort with BASE isn't really all that difficult a thing to do. It's 
> not as easy as it was in the early days, but really, the only new step is Barnyard2; all the rest is nearly unchanged.
>
> Maybe someone will pick BASE up, dust it off, add some new features, and call it SALT. ;)
>
> -- 
> Shane Castle
> Data Security Mgr, Boulder County IT
>
> -----Original Message-----
> From: Michael Steele [mailto:michaels () winsnort com] 
> Sent: Thursday, October 11, 2012 16:05
> To: 'AllowOverride'
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Where's Waldo?
>
> BASE is a great place to start out. Maybe when you get everything working
> properly then make the switch.
>
> BASE is a viable option, it may not have a developer behind it right now,
> but it's viable as a snort console.
>
> Michael...
>
> -----Original Message-----
> From: AllowOverride [mailto:allowoverride () gmail com] 
> Sent: Thursday, October 11, 2012 5:38 PM
> To: Peter Bates
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Where's Waldo?
>
> im looking into snorby, since base is dead... thanks
>
> On Thu, 2012-10-11 at 20:58 +0100, Peter Bates wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > Hello all
> >
> > On 11/10/2012 20:29, AllowOverride wrote:
> > > just a test, i will clear tables, and close browser, come back in 1 
> > > hour increments, and see if that is the issue, it takes an hour to 
> > > input new data after base clear table buttons have cleared. im 
> > > assume there is a switch in the configs to make it quicker.
> >
> > I've never personally looked for the option to clear tables in BASE 
> > but I can say I use a script called archivesnort.pl which moves alerts 
> > after 7 days to the archive DB and deletes them after 30.
> >
> > If that is available with BASE I'd suggest you try that - i.e. 
> > modifying the database outside of the web interface - if you can't 
> > find it I can post it to the ML.
> >
> > That's what we do and I've never seen the problem you're describing.
> >
> > Alternatively, why not look at Snorby as a WUI - that has an inbuilt 
> > option to trim(*) the database after a fixed number of events.
> >
> > * - by trim I mean 'delete oldest events but not the entire contents 
> > of the table' - I can't think of a better word.
> >
> > - --
> > Peter Bates
> > Senior Computer Security Officer    Phone: +44(0)2076792049
> > Information Services Division           Internal Ext: 32049
> > University College London
> > London WC1E 6BT
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.11 (Darwin)
> > Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
> >
> > iQEcBAEBAgAGBQJQdyTUAAoJELhVoVpEMS6RsvgH/iJ00PzneI6hlwoFiZz2Xtab
> > D+T9Xr69BcHxlZ8FLpWWkkJQWxaeLIIQUKs6yWdkeD3Nn+8P9prpHFfdCeIV55a4
> > ICMyIuPj09EMMWyTLQzO2+VZwYh4RmJ4e/XuyD2VAfYobScJdrz6/fHsV6mn0Bm/
> > J3SaKlYA4Wm/ou+x5rvJW3J9gSOpQoLfLTUBqBnr3yv8SxiKJQw1WZvYHr2LF0lb
> > NxgaQlNjVZtokg0B3fIj6Dhhyecj7M+tjrSs0wqqXd5rU1oOgvDwdiLr1LfYNCAs
> > zBd87P9j1mVF9VlLgBhtLr+3/jOVIGAooQK4QWOtLtASmrlBOp7H4rhhIxvP5oQ=
> > =S82d
> > -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!