RE: consensus on BASE

["Michael Scheidell" <scheidell () secnap net>]

> -----Original Message-----
> From: snort-users-admin () lists sourceforge net 
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
> Drew Burchett
> Sent: Saturday, May 27, 2006 7:21 AM
> To: snort-users () lists sourceforge net
> Subject: RE: [Snort-users] consensus on BASE
>
> I guess if BASE has one fatal flaw, there's no ability to see 
> an IP conversation that triggered an alert.  For example, if 
> you see an ATTACK RESPONSE 403 FORBIDDEN alert, there's no 
> good way to tell if it was malicious or if some dummy just 
> typed in the wrong URL.

Then there is no flaw in BASE, since it only records what snort gave it.
NOTHING can tell you what cause the 403 error unless you also correlate
it to syslogs for the web server.

(which you can do with base if you want to parse syslogs and send them
to base)

I think BASE is great, except for the searching capibilities.  They are
really poor.
That makes it hard to do anything but look at 'top 5' type events.

-- 
Michael Scheidell, CTO
561-999-5000, ext 1131
SECNAP Network Security Corporation
MediaPro web base privacy and security training:
http://www.secnap.com/events.php?pg=15


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid7521&bid$8729&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users