Snort mailing list archives
Re: consensus on BASE
From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 26 May 2006 12:54:10 -0500
John Newman wrote:
I think Base is probably the most popular open source front-end (although I don't have any data to back that up.) It's certainly easy to install and use. The problem with Base is that it gives you a sliding window of your events data, which tends to obscure real-time events from view unless they are large enough to draw attention (or you just happen to notice them._ So, it's good for summarizing what's going on, but not as good for real-time analysis of discrete events.Is the consensus that BASE is the best web front-end for snort out there (and I mean free, open source stuff)? What are people's experiences with sguil (which I realize is not web based). thanks,
Sguil is very difficult to install. It requires quite a bit of preparation and installation of ancilliary apps to make it work. (I'm trying to solve that on FreeBSD by developing ports for it that take care of all the dependencies.) That's a consequence of the decision to use tcl as the programming language, since it's not commonly installed on most platforms. (It also uses some other apps which are not so common; sancp, p0f, tcpdump
Once it's installed and configured (which is also a bit of work and requires a clear understanding of what you're doing), it provides a completely different, more detailed look at the data, in real time. It's easy to pick out events that need immediate followup and drill down into packets to see what's really going on.
So, I would say, Base is good for folks new to snort and especially new to admining OSes, and sguil is good for folks who clearly understand what they're doing and want as much information about events as they can get.
-- Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- consensus on BASE John Newman (May 26)
- Re: consensus on BASE Paul Schmehl (May 26)
- <Possible follow-ups>
- RE: consensus on BASE Drew Burchett (May 27)
- Re: consensus on BASE Bamm Visscher (May 27)
- RE: consensus on BASE Michael Scheidell (May 27)
- Re: consensus on BASE Bamm Visscher (May 27)
- RE: consensus on BASE John Hally (Jun 01)
- RE: consensus on BASE James Affeld (Jun 01)