Snort mailing list archives
Re: BASE or Snort Report ???
From: Crusty Saint <saintcrusty () gmail com>
Date: Thu, 6 Jan 2011 15:54:36 +0100
Personally i'm looking for the right tool, all too often many products are very identical in functionality with just the look and feel being different *sigh* 2011/1/6 Jun Wan <junwei_wan () hotmail com>
I couldn't agree more with Bamm, BASE & Snort Report are good for Snort beginner like me. I was so excited when I saw all the alerts from Base & Snort Report, then I learned how to tune rules and make BASE and Snort Report more user friendly, it was fun. I found Sguil is fantastic when I would like to use Snort to dig information a bit deeper including what rules produced which alerts? was the attack successful? which servers were compromised and which servers weren't compromised? What does the signature pattern look like? assignment description/comments/escalation of the alerts, real time alert counter, wireshark, DNS lookup, etc and more. All these information are in one NSM tool---Sguil. I 've only had 6 months of experience with BASE and Snort Report, and 2 weeks' with Sguil, I think Sguil is a more comprehensive tool than BASE and Snort Report regarding detailed information I will try Snorby one day and I believe it would be another fantastic NSM tool as many recommended it. That's my 2cDate: Wed, 5 Jan 2011 08:51:16 -0500 From: bamm.visscher () gmail com To: snort-users () lists sourceforge net Subject: Re: [Snort-users] BASE or Snort Report ??? For the record, no, Sguil is not a dead project. The community is still quite active even if commits to CVS haven't been happening. Join #snort-gui on irc.freenode.net and you'll find a number of seasoned pro's willing to help/discuss Sguil, Snort, NSM, IDS, security, fishing, music, ..... With that said, I wouldn't recommend Sguil for someone just starting out with Snort or who is looking for an "alert browser". Take your time. Install Snorby or syslog alerts to Splunk. Do some analysis. If over time you come to the conclusion that you need more data and tools to facilitate better analysis, then check out Sguil and the concept of NSM. Bamm On Tue, Jan 4, 2011 at 10:01 PM, Garland, Ken R <garlandkr () gmail com>wrote:With sguil replace the word 'excellent' with 'horrid' in regards to thewebinterface - It's also a dead project as far as I can tell. On the topic of vaporware, didn't BASE get dumped some time ago aswell?Two jobs ago I wrote a custom interface using Python/Pylons that had realtime views and analysis. At my last position I put Snorby in placeandthat was a real treat, blew me away with the reports available and interface. They just released 2.0 which I had been waiting for, butI'vesince left that company and I've graduated from dealing with suchthings.Chose something that will have room to grow and has, at the minimum, a current set of interested developers. As a few others have pointed outyoumight want to consider using plugins for snort to send alerts or using syslog to deal with alerts, syslog-ng can handle alerts all on its ownwithquite a bit of intelligence. I always liked using a notification system outside of Snort as there are many other things in the admin world that require attention. I keep them in a central place with a centralsyslog-ngor monitoring system.-- sguil - The Analyst Console for NSM http://sguil.sf.net------------------------------------------------------------------------------Learn how Oracle Real Application Clusters (RAC) One Node allowscustomersto consolidate database storage, standardize their database environment,and,should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: BASE or Snort Report ???, (continued)
- Re: BASE or Snort Report ??? Garland, Ken R (Jan 04)
- Re: BASE or Snort Report ??? Joe Pampel (Jan 04)
- Re: BASE or Snort Report ??? Jefferson, Shawn (Jan 04)
- Re: BASE or Snort Report ??? Champ Clark III [Softwink] (Jan 04)
- Re: BASE or Snort Report ??? Tilley, Brad (Jan 05)
- Re: BASE or Snort Report ??? Martin Holste (Jan 05)
- Re: BASE or Snort Report ??? Garland, Ken R (Jan 04)
- Re: BASE or Snort Report ??? Bamm Visscher (Jan 05)
- Re: BASE or Snort Report ??? Jun Wan (Jan 06)
- Re: BASE or Snort Report ??? Crusty Saint (Jan 06)
- Re: BASE or Snort Report ??? Randal T. Rioux (Jan 04)