On Sat, 27 Nov 2004, mamo wrote:
...
The platform should have strong possibility to see event from
different point of view (source IP, Dest IP, Event Name, Network
Sensor Name, etc) and drill down to better analize. This approch is
the only one I have found that permit to analize so much events.
Do you have any experience to share on software
(commercial/opensource), that can permit Snort events analisys for an
enviroment with so much events?
Not yet, but I'm playing with a tool called Pigris that I hope I'll have
time to finish and release some time (I don't know when though). It has
the look and feel of a web-based alert browser but is a client written in
Perl/Tk that talks to the db. It works well with many sensors and events
and has some other useful features too. There are some early screenshots
and more info at http://people.su.se/~andreaso/pigris/screenshots/ if
you're interested.
You may also want to checkout Sguil at http://sguil.sf.net/. It scales
well but kind of assumes that every event (or correlated group of events)
has to be dealt with by an analyst. This can be a huge strength in some
environments but I'm not sure it would work well if you have 2 million
events a day (are your sigs really optimally tuned?)
/Andreas
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
