On 24 January 2013 09:12, JPZ <[email protected]> wrote: > · BASE, which hasn’t been updated since 2009 > (http://base.secureideas.net/)
BASE is cool but if you're dealing with a large number of alerts you're going to need some pretty beefy hardware to get decent performance; I consider my environment a small one - 1.5 Gb/s, 20k users and an Internet-facing /16 - and we couldn't get the performance we wanted from BASE at the price point we needed for hardware. I ended up replacing it with Sguil since it's primarily geared for real-time incident response. That said, Kevin Johnson did a fantastic job with BASE and if I were in a smaller environment, or had more funding for beefier hardware, I'd use it to augment Sguil. Note Sguil is specifically for Snort. > · Log analyzers such as syslog-ng, ELSA, logstash, etc > > o Although they output useful stats, it’s not quite what I’m looking for. You can interrogate MySQL, PostgreSQL and Oracle with ELSA. See alternate data sources here: http://ossectools.blogspot.com/2012/09/integrating-org-data-in-elsa.html Right now I have approximately 40 - 50 servers pointing their system logs and a half-dozen snort sensors outputting to both Sguil and ELSA. I can then use the groupby function in ELSA to search my passive DNS database, various MySQL databases, etc. Check the ELSA users mailing list regarding integrating OSSEC (they do it in SecurityOnion, it can be done manually). The "problem", if you can call it that, is that you don't get the real-time console that (if memory serves) you get with Snorby or (I can confirm this, I use it for 6 - 8 hours every day) Sguil. > · Snorby I tried this, too, and ran into the same performance issues as with BASE, plus Snorby has some really horrid dependency chains. The Ruby stuff almost always gave me trouble but it was during the early days of the Snorby project (1 - 1.5 years ago, give or take?). Snorby in the cloud is promising for solving some of those performance issues and, in all fairness, I really should give it another try now that it's had time to mature. > · OSSIM \ securityOnion > > o Full blown OS with everything packed together > > § You seem restricted to specific versions of OSSEC, snort, etc. Upgrading > manually isn’t recommended. Doug (the author of SecurityOnion) does regular releases and is pretty responsive. As you've noted, the project does lag a little behind the individual releases of its major components -- OSSEC, Snort, Sguil, ELSA, CapME *and* Snorby -- but having it all together, and supported, fits most needs. Out of curiosity, what functionality is missing from SO that you need from the latest version of <some component>? Or, is it just the thought of being tied to a particular release until Doug updates SO? > 3. What is everyone else using as an Open Source security monitoring > GUI for snort =>2.9.3 & OSSEC ? I have 40+ servers running OSSEC and I don't worry about feeding their alerts through anything yet but I'm about to pull them into ELSA, see: http://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation#OSSEC_Integration Snort and OSSEC are only a small part, though, as I've recently started deploying Bro as well and the data from it can be overwhelming. ELSA can be fed bro data as well so ... I'm curious to see what you choose, I think different products tend to stick more firmly with certain people based on how they use the tools and I'm always interested in seeing who chooses what. I primarily do network-based intrusion and incident response, and I have a programming and Linux/Unix system administration background, so my choice in tools tends to be different from someone with, for example, a Splunk or Windows background. kmw --
