I had OSSIM installed and running for a short while. It does SOOO much more than I needed like NAGIOS which ended up filling my server with log files. I have since talked with the OSSIM group and found out how to stop that but due to other projects I was unable to get back to it yet. It provides as close to to real time as I have seen aside from the like Rob already gave you.
Just like you I was doing a proof of concept and for that it was not high on the companies list of things for me to do, but I can say OSSIM will be right at the top of the testing when I do get back. your just going to have to tweak it and turn off things you don't need. Super easy install, find an old PC or Server and give it a shot, worse that can happen is you waste a few hours to find that it is not actually what you need. :-) Hope this helps, - Robert (arch3angel) Grymoire wrote: > Thanks, Rob, for the liveSnort link. Some comments: > > * Easy to install > > * When you press the Details link, it points to a URL on the snort.org > site that no longer exists. Example > > http://www.snort.org/pub-bins/sigs.cgi?sid=46 > > * No visualization. All it seems to be is a web listing of the alerts. > > As for splunk, I'm not interested in log correlation. Not at this > time. That comes later. I want to built a proof-of-concept on a > single machine first. > > >> Not sure what you are looking for here though... >> > > Visualization of trends. > Categorization of activity over time > High level view of general status. > Event correlation - by humans looking at graphs for now > > In simple terms, I want plots of activity over time, and the abillity > to categorize these activities. For instance, snort has labels of event > types. I want a plot of number of events by type over time. > > For example, I'd like to take a set of recorded network trafic, such > as a CtF event, and feed it in, and be able to get an overview of > activity. How did the first day's activity differ from the second day? > > Munin is a standard package for Ubuntu, and it looked like a good > starting point. I even saw some documentation on snort plugins, but > aparently it's based on the old snort statistics stuff. > > > >> Correct, we cleaned out a lot of the 3rd party projects that weren't >> maintained anymore when we redid the site: >> http://www.snort.org/downloads/additional-downloads/ is what is >> left. >> > > It would be nice if the 2.8.5.1 contrib/README file had this > information. it would also be nice if there was a redirect link of > the old location to the new location. I wonder if the snort team > looks at the web logs for URL gets of missing pages. > > > >> Snort IDS and IPS toolkit is the most recent book. I think that was >> one was... 2006? 2007? >> > > > Thanks, I'll take a look. > > >> I use text based alerting, but that's not really feasible for an >> unskilled enterprise environment. >> > > Yes. I don't want micromanagement. I want "big picture" information. > > >> The Snort-Users mailing list is also available for your reference. >> > > Okay. I think the number of mailing lists I subscribe to is > approaching 100+. I prefer searching over subscribing, sigh... > I thought this would be easy, with a FAQ, etc. > (Thank god for procmail. ) > > As for your suggestions... > > >> Base, Snorby, Sguil.. >> > > I installed ACID BASE as part of Ubuntu. My next step is to see how I > can extend and plot the data on a web page. I had hopes for munin. > > See > https://forums.snort.org/forums/snort-newbies/topics/munin > > As for Snorby - that's a front-end for snort. I have snort running and > feeding mysql. And Squil - I don't see any graphs in the sample > screen shots. So Snorby and Squil don't seem to do what I want. > > I'm also looking at pmgraph.pl and EasyIDS > And learn more about BASE and ACID. > > - Grymoire > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
