Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-users] consensus on BASE

from [Drew Burchett] Network Security [Permanent Link]
Subject: RE: [Snort-users] consensus on BASE
Date: Sat, 27 May 2006 06:21:08 -0500 
While I can agree with most of what was said here, I can see one flaw
with Sguil.  I don't run any Linux boxes with a GUI frontend, and I
don't have the resources to load one just to run Sguil.  I'm using BASE
to help fine tune Snort as it's good to help weed out false positives
and for a good running overview of what is happening in realtime.  I
combine that with Snortalog for daily overviews of my data and then use
other programs to provide email and/or pager alerts on events that I
feel are important enough to draw my immediate attention.

I guess if BASE has one fatal flaw, there's no ability to see an IP
conversation that triggered an alert.  For example, if you see an ATTACK
RESPONSE 403 FORBIDDEN alert, there's no good way to tell if it was
malicious or if some dummy just typed in the wrong URL.

Drew Burchett
United Systems & Software
http://www.united-systems.com
Phone:  (270)527-3293
Fax:     (270)527-3132


-----Original Message-----
From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-
admin@lists.sourceforge.net] On Behalf Of Paul Schmehl
Sent: Friday, May 26, 2006 12:54 PM
Cc: snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] consensus on BASE

John Newman wrote:

Is the consensus that BASE is the best web front-end for snort out

there

(and I mean free, open source stuff)?  What are people's experiences
with sguil (which I realize is not web based).

thanks,


I think Base is probably the most popular open source front-end
(although I don't have any data to back that up.)  It's certainly easy
to install and use.  The problem with Base is that it gives you a
sliding window of your events data, which tends to obscure real-time
events from view unless they are large enough to draw attention (or

you

just happen to notice them._  So, it's good for summarizing what's

going

on, but not as good for real-time analysis of discrete events.

Sguil is very difficult to install.  It requires quite a bit of
preparation and installation of ancilliary apps to make it work.  (I'm
trying to solve that on FreeBSD by developing ports for it that take
care of all the dependencies.)  That's a consequence of the decision

to

use tcl as the programming language, since it's not commonly installed
on most platforms.  (It also uses some other apps which are not so
common; sancp, p0f, tcpdump

Once it's installed and configured (which is also a bit of work and
requires a clear understanding of what you're doing), it provides a
completely different, more detailed look at the data, in real time.
It's easy to pick out events that need immediate followup and drill

down

into packets to see what's really going on.

So, I would say, Base is good for folks new to snort and especially

new

to admining OSes, and sguil is good for folks who clearly understand
what they're doing and want as much information about events as they

can

get.

--
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/



--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for 
the sole use of the intended recipient(s) and may contain confidential and 
privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

-- 
This message has been scanned for viruses and dangerous content by MailScanner 
and is believed to be clean.



-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] consensus on BASE, Paul Schmehl
Next by Date:  RE: [Snort-users] consensus on BASE, Michael Scheidell
Previous by Thread:  Re: [Snort-users] consensus on BASE, Paul Schmehl
Next by Thread:  Re: [Snort-users] consensus on BASE, Bamm Visscher
Indexes:  [Date] [Thread] [Top] [All Lists]