John Newman wrote:
Is the consensus that BASE is the best web front-end for snort out there
(and I mean free, open source stuff)? What are people's experiences
with sguil (which I realize is not web based).
thanks,
I think Base is probably the most popular open source front-end
(although I don't have any data to back that up.) It's certainly easy
to install and use. The problem with Base is that it gives you a
sliding window of your events data, which tends to obscure real-time
events from view unless they are large enough to draw attention (or you
just happen to notice them._ So, it's good for summarizing what's going
on, but not as good for real-time analysis of discrete events.
Sguil is very difficult to install. It requires quite a bit of
preparation and installation of ancilliary apps to make it work. (I'm
trying to solve that on FreeBSD by developing ports for it that take
care of all the dependencies.) That's a consequence of the decision to
use tcl as the programming language, since it's not commonly installed
on most platforms. (It also uses some other apps which are not so
common; sancp, p0f, tcpdump
Once it's installed and configured (which is also a bit of work and
requires a clear understanding of what you're doing), it provides a
completely different, more detailed look at the data, in real time.
It's easy to pick out events that need immediate followup and drill down
into packets to see what's really going on.
So, I would say, Base is good for folks new to snort and especially new
to admining OSes, and sguil is good for folks who clearly understand
what they're doing and want as much information about events as they can
get.
--
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
smime.p7s
Description: S/MIME Cryptographic Signature
