Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HELP ON SNORT

From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Mon, 30 Jan 2012 12:25:18 -0700
My situation is that I we are a small shop and we need tools that minimize the analyst's time.  
Fortunately/Unfortunately, BASE is the tool we're using for NIDS event analysis, and the reason is that to minimize 
analysis time, we've integrated the tools with other sources of information in our layered defense strategy (and BASE 
was easy to modify since it is built upon php.)  Correlation is key, IMO, and seems to be missing from most of the 
front-end tools.  (Maybe OSSIM does this a bit.  Never got it working properly.)

When you see an alert on your NIDS:

How do you determine if the endpoint system is vulnerable?
How do you determine if the endpoint security software blocked the attempt?
How do you determine if the alert was generated from a client request, that may have been blocked by your proxy, or 
other edge-device?

If you have to go to other tools to do any of that, you are wasting analyst time.  Ideally it should all be just there 
on the screen without drilling down into anything (a bit more difficult to do.)

I guess we are getting into SIEM territory here... sometimes the SIEMs don't even do a good job of this though.



-----Original Message-----
From: beenph [mailto:beenph () gmail com] 
Sent: Monday, January 30, 2012 7:34 AM
To: snort-users () lists sourceforge net
Cc: Paul Halliday; Jagan Mohan Reddy D
Subject: Re: [Snort-users] HELP ON SNORT

On Mon, Jan 30, 2012 at 9:54 AM, Paul Halliday <paul.halliday () gmail com> wrote:

On Mon, Jan 30, 2012 at 9:42 AM, Joel Esler <jesler () sourcefire com> wrote:

On Jan 30, 2012, at 7:53 AM, Paul Halliday wrote:

On Sun, Jan 29, 2012 at 8:47 PM, Joel Esler <jesler () sourcefire com> wrote:

On Jan 29, 2012, at 7:38 PM, Dustin Webber <dustin.webber () gmail com> wrote:


I have heard these concerns as well and it always ended up being 
someone who didn't tune their sensor and had 150k events every 30 minutes.


Agreed!


So do we just shake our fingers at them and move on?


No.  It starts at my/our level.  We have to make the engine easier to 
use, simpler to tune, easier to understand.

...


It involves coordination with open source products to make things 
easier to use and tune.  All things on my plate for this year.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


This is a good start, the second part however is quite complicated.
Think of Sguil's mantra: "Written by Analysts, for Analysts". OK, so 
we just alienated everyone that isn't an experienced analyst. Snorby 
(mantra aside) falls into this group as well.

What I am getting at is we have a huge tool gap. Well, its not even a 
gap at all because there is only one side; hence the lack of 
accessibility I mentioned earlier.


Here is the way i see it :  Sourcefire/OISF provide tools which produce a source of information that is then 
processable (Unified2/Syslog/Text file/Pcap etc..)

That information can be stored and analysed in many ways.

Person X needs might not be Person Y needs and Person Z

There is a gap betwen using open source tool such as display/Analysis tool for small to medium setting, but there is a 
huge step to bring this into a SIEM Service/plateform that will scale for high needs environement.

And personally i think thats where the line is. If you are trying to profit from tools or "save" by using them you will 
end up having to use some of your "elbow oil" and probably dev/customize some tools.

I have a hard time to belive that anything that could be brewed by multiple group or even the "community"
would still meets the requirement of some speficic settings.

As long as the majority is pleased i think it is enough and i am sure
2012 will bring some joy to some people.

-elz

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL 
- plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: