Snort mailing list archives
Re: HELP ON SNORT
From: Paul Halliday <paul.halliday () gmail com>
Date: Mon, 30 Jan 2012 08:53:22 -0400
On Sun, Jan 29, 2012 at 8:47 PM, Joel Esler <jesler () sourcefire com> wrote:
On Jan 29, 2012, at 7:38 PM, Dustin Webber <dustin.webber () gmail com> wrote:I have heard these concerns as well and it always ended up being someone who didn't tune their sensor and had 150k events every 30 minutes.Agreed!
So do we just shake our fingers at them and move on? I think that for a lot of people this is the reality of owning an IDS, and for whatever circumstance, this will never change. Not everyone has a team of specialists or dedicated resources for this type of stuff. I suspect (evidence from this list over the years supports) that a lot of people walk into a networking or sysadmin gig and quickly learn that they are also the firewall guy, AD security, Desktop security, OH, and IR as well. You can read PCAPS in Latin right? What about malware reverse engineering? So, what are these folks to do? Sguil? doubt it. Snorby, not likely (but it is pretty). What about tuning Snort or Suricata? That file format's DOS right? Good luck. We have this enormous abstraction layer that encompasses these systems and we have done very little over the years to fix this. Not everyone is a specialist and not everyone has a budget. We need to make these systems more accessible. "it always ended up being someone who didn't tune their sensor and had 150k events every 30 minutes" Sounds like an absolute to me. Why didn't the system fix this for them? Gaps in others security become a gap in ours. It's Lose lose. Back to the OP's question: BASE: EOL SGUIL: Lots of data, no context. Requires expert knowledge to use. SNORBY: Lots of data, contrived context. Requires expert knowledge to use (but pretty) For those of you that are not experts.. well, for now you are out of luck. -- Paul Halliday http://www.squertproject.org/ ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: HELP ON SNORT, (continued)
- Re: HELP ON SNORT Martin Holste (Jan 27)
- Re: HELP ON SNORT Jeremy Hoel (Jan 27)
- Re: HELP ON SNORT Castle, Shane (Jan 27)
- Re: HELP ON SNORT Joel Esler (Jan 27)
- Re: HELP ON SNORT Heine Lysemose (Jan 28)
- Re: HELP ON SNORT Dustin Webber (Jan 28)
- Re: HELP ON SNORT Martin Holste (Jan 29)
- Re: HELP ON SNORT Joel Esler (Jan 29)
- Re: HELP ON SNORT Dustin Webber (Jan 29)
- Re: HELP ON SNORT Joel Esler (Jan 29)
- Re: HELP ON SNORT Paul Halliday (Jan 30)
- Re: HELP ON SNORT Joel Esler (Jan 30)
- Re: HELP ON SNORT Paul Halliday (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Jefferson, Shawn (Jan 30)
- Re: HELP ON SNORT Lay, James (Jan 30)
- Re: HELP ON SNORT Jeremy Hoel (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT Martin Holste (Jan 27)
- Re: HELP ON SNORT beenph (Jan 29)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)