Snort mailing list archives

Re: HELP ON SNORT

From: Paul Halliday <paul.halliday () gmail com>
Date: Mon, 30 Jan 2012 08:53:22 -0400

On Sun, Jan 29, 2012 at 8:47 PM, Joel Esler <jesler () sourcefire com> wrote:

On Jan 29, 2012, at 7:38 PM, Dustin Webber <dustin.webber () gmail com> wrote:

I have heard these concerns as well and it always ended up being someone who didn't tune their sensor and had 150k 
events every 30 minutes.


Agreed!


So do we just shake our fingers at them and move on? I think that for
a lot of people this is the reality of owning an IDS, and for whatever
circumstance, this will never change.

Not everyone has a team of specialists or dedicated resources for this
type of stuff. I suspect (evidence from this  list over the years
supports) that a lot of people walk into a networking or sysadmin gig
and quickly learn that they are also the firewall guy, AD security,
Desktop security,  OH, and IR as well. You can read PCAPS in Latin
right? What about malware reverse engineering?

So, what are these folks to do? Sguil? doubt it. Snorby, not likely
(but it is pretty). What about tuning Snort or Suricata? That file
format's DOS right? Good luck.

We have this enormous abstraction layer that encompasses these systems
and we have done very little over the years to fix this. Not everyone
is a specialist and not everyone has a budget. We need to make these
systems more accessible.

"it always ended up being someone who didn't tune their sensor and had
150k events every 30 minutes"

Sounds like an absolute to me. Why didn't the system fix this for them?

Gaps in others security become a gap in ours. It's Lose lose.

Back to the OP's question:

BASE: EOL
SGUIL: Lots of data, no context. Requires expert knowledge to use.
SNORBY: Lots of data, contrived context. Requires expert knowledge to
use (but pretty)

For those of you that are not experts.. well, for now you are out of luck.

-- 
Paul Halliday
http://www.squertproject.org/

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: HELP ON SNORT, (continued)
- - Re: HELP ON SNORT Martin Holste (Jan 27)
    - Re: HELP ON SNORT Jeremy Hoel (Jan 27)
    - Re: HELP ON SNORT Castle, Shane (Jan 27)
    - Re: HELP ON SNORT Joel Esler (Jan 27)
    - Re: HELP ON SNORT Heine Lysemose (Jan 28)
    - Re: HELP ON SNORT Dustin Webber (Jan 28)
    - Re: HELP ON SNORT Martin Holste (Jan 29)
    - Re: HELP ON SNORT Joel Esler (Jan 29)
    - Re: HELP ON SNORT Dustin Webber (Jan 29)
    - Re: HELP ON SNORT Joel Esler (Jan 29)
    - Re: HELP ON SNORT Paul Halliday (Jan 30)
    - Re: HELP ON SNORT Joel Esler (Jan 30)
    - Re: HELP ON SNORT Paul Halliday (Jan 30)
    - Re: HELP ON SNORT beenph (Jan 30)
    - Re: HELP ON SNORT Jefferson, Shawn (Jan 30)
    - Re: HELP ON SNORT Lay, James (Jan 30)
    - Re: HELP ON SNORT Jeremy Hoel (Jan 30)
    - Re: HELP ON SNORT Dustin Webber (Jan 30)
    - Re: HELP ON SNORT beenph (Jan 29)
    - Re: HELP ON SNORT Dustin Webber (Jan 30)
    - Re: HELP ON SNORT beenph (Jan 30)

(Thread continues...)