Snort mailing list archives
Re: BASE and Snorby running together
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Wed, 22 Feb 2012 16:27:29 -0500
I'm really trying to like Snorby, but there are a few things that keep driving me a way. I haven't used BASE in a while (I'm a recent Sguil convert), but the things I remember... 1. The search functionality in BASE was far more flexible then in Snorby. There is no OR in the Snorby search page. When I see an alert one of the first things I want to know is, what other alerts did the source or destination produce. In Snorby you can't search for 'src=10.1.1.1 OR dst=10.1.1.1 in the last X amount of time'. What I would really like to see is a button (like the "copy to clipboard" one) that will bring up all of the unclassified events with that IP address as either the src or dst. One click, see them all. 2. Personal annoyance. On the Ascii tab, it displays spaces as dots. To me any ways, this makes it a little confusing to read. 3. (not in BASE but I'll throw this in for free) If you expand an alert, and then hotkey-classify it, the UI sends you back to the main events page. It would be faster, for an analyst, if the UI just brought up the the next alert, already expanded, in the list. an option to display either the hex or ascii tab would be great too. 4. Unique IP links. In BASE you could easily get a summary of all the unique IP to IP events. This made it easy to spot loud offenders. ex. src | dst | count 10.1.1.1 -> 1.1.1.1 2 2.2.2.2 -> 10.1.1.2 1 2.2.2.2 -> 10.1.1.3 1 5. Canned info on the main page. Most frequent src or dst, top 5 alerts (great for initial tuning), etc 6. Clickable links to the rule references. 7. Delete alerts. Just a few off the top of my head. thx, wally On Wed, Feb 22, 2012 at 3:40 PM, Dustin Webber <dustin.webber () gmail com> wrote:
Just curious.. What are the features that snorby does not have? Last time I checked snorby shadowed BASE in every area and then some. - Dustin On Feb 22, 2012, at 3:06 PM, Jan Seidl <lists () heavyworks net> wrote: Shane, have you tried sguil with squert? On Feb 22, 2012 3:04 PM, "Castle, Shane" <scastle () bouldercounty org> wrote: ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- BASE and Snorby running together Castle, Shane (Feb 22)
- Re: BASE and Snorby running together JJC (Feb 22)
- Message not available
- Re: BASE and Snorby running together Jan Seidl (Feb 22)
- Re: BASE and Snorby running together Dustin Webber (Feb 22)
- Re: BASE and Snorby running together Jefferson, Shawn (Feb 22)
- Re: BASE and Snorby running together Dustin Webber (Feb 22)
- Re: BASE and Snorby running together Jefferson, Shawn (Feb 22)
- Re: BASE and Snorby running together Jan Seidl (Feb 22)
- Re: BASE and Snorby running together Jason Wallace (Feb 22)
- Re: BASE and Snorby running together Castle, Shane (Feb 22)
- Re: BASE and Snorby running together Dustin Webber (Feb 22)
- Re: BASE and Snorby running together Castle, Shane (Feb 22)