-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of
Drew Burchett
Sent: Saturday, May 27, 2006 7:21 AM
To: snort-users@lists.sourceforge.net
Subject: RE: [Snort-users] consensus on BASE
I guess if BASE has one fatal flaw, there's no ability to see
an IP conversation that triggered an alert. For example, if
you see an ATTACK RESPONSE 403 FORBIDDEN alert, there's no
good way to tell if it was malicious or if some dummy just
typed in the wrong URL.
Then there is no flaw in BASE, since it only records what snort gave it.
NOTHING can tell you what cause the 403 error unless you also correlate
it to syslogs for the web server.
(which you can do with base if you want to parse syslogs and send them
to base)
I think BASE is great, except for the searching capibilities. They are
really poor.
That makes it hard to do anything but look at 'top 5' type events.
--
Michael Scheidell, CTO
561-999-5000, ext 1131
SECNAP Network Security Corporation
MediaPro web base privacy and security training:
http://www.secnap.com/events.php?pg=15
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
