On Fri, Dec 4, 2009 at 9:28 AM, Grymoire <[email protected]> wrote:
> > Thanks, Rob, for the liveSnort link. Some comments: > > * Easy to install > > * When you press the Details link, it points to a URL on the snort.org > site that no longer exists. Example > > http://www.snort.org/pub-bins/sigs.cgi?sid=46 > > Yes, the old rule references are gone, we are thinking of a new way to do this. In the meantime, all rule documentation is included in the rule pack. In the doc/ directory of the rulepack. > * No visualization. All it seems to be is a web listing of the alerts. > > Correct, there aren't many tools that do this <plug> Sourcefire does </plug> > As for splunk, I'm not interested in log correlation. Not at this > time. That comes later. I want to built a proof-of-concept on a > single machine first. > Splunk allows for easy searching and viewing of Snort alerts, plus you can get a graph of trending amounts of traffic over time (IIRC). It works. > > >Not sure what you are looking for here though... > > Visualization of trends. > Categorization of activity over time > High level view of general status. > Event correlation - by humans looking at graphs for now > > In simple terms, I want plots of activity over time, and the abillity > to categorize these activities. For instance, snort has labels of event > types. I want a plot of number of events by type over time. > pmgraph will do that for you, if you are looking for simple bar graphs and what not. http://www.snort.org/users/jbrvenik/Site/Archives.html > > For example, I'd like to take a set of recorded network trafic, such > as a CtF event, and feed it in, and be able to get an overview of > activity. How did the first day's activity differ from the second day? > Many of the old Snort visualization projects are dead. Unfortunately. > > Munin is a standard package for Ubuntu, and it looked like a good > starting point. I even saw some documentation on snort plugins, but > aparently it's based on the old snort statistics stuff. > > > > Correct, we cleaned out a lot of the 3rd party projects that weren't > > maintained anymore when we redid the site: > > http://www.snort.org/downloads/additional-downloads/ is what is > > left. > > It would be nice if the 2.8.5.1 contrib/README file had this > information. it would also be nice if there was a redirect link of > the old location to the new location. I wonder if the snort team > looks at the web logs for URL gets of missing pages. > I'll see if I can get this fixed for you. >The Snort-Users mailing list is also available for your reference. > > Okay. I think the number of mailing lists I subscribe to is > approaching 100+. I prefer searching over subscribing, sigh... > I thought this would be easy, with a FAQ, etc. > (Thank god for procmail. ) > Aren't we all having that problem? ;) > > As for your suggestions... > > >Base, Snorby, Sguil.. > > I installed ACID BASE as part of Ubuntu. My next step is to see how I > can extend and plot the data on a web page. I had hopes for munin. > I don't know anything about munin. However, I wish the debian people (and ubuntu people as a result) -- and yes, I have talked to the debian people, personally, about this -- It's not "acid_base" It's called BASE. base.secureideas.net Sorry, pet peeve. I'm also looking at pmgraph.pl and EasyIDS > And learn more about BASE and ACID. > > Forget about ACID. totally. It has been updated, in.. 7 years? BASE is a good start. pmgraph is a good start to give you simple graphing based off of performance stats... Splunk is good for overall. mubix++ -- Joel Esler | 302-223-5974 | gtalk: [email protected]
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
