OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Snort console recommendation

From: Martin Roesch (roeschsourcefire.com)
Date: Tue Jul 08 2003 - 11:43:20 CDT

Hi Paul,

The primary reason that people architect solutions outside the existing
open source infrastructure that's available usually falls into two
categories: performance and features. Several of the existing consoles
pay a lot of attention to features, but don't do so well on performance
and a lot of people/vendors are thinking about new ways to solve the
data management and analysis problem that will hopefully have higher
performance. Usually, most of these solutions require either
modification of existing systems or outright replacement which is why
we see all the "extra-infrastructural" development.

Hope that answers your question acceptably.

      -Marty

On Monday, July 7, 2003, at 11:02 AM, Paul Schmehl wrote:

> Unfortunately, your product requires a proprietary agent on the sensor
> and does not support acquiring data from databases such as mysql,
> postgresql or oracle that are already out there and configured.
>
> Which leads to my question. Why is everyone so insistent on building
> their own "infrastructure" to snort rather than using what already
> exists? Is it really that difficult to extract data from the default
> fields in the db? I understand the reason for having to design a log
> extractor, but snort already feeds a database. ISTM you could simply
> query what's there and be done with it.
>
> Or am I totally off base?
>
> --On Monday, July 07, 2003 07:27:01 AM -0700 Eric Hines
> <eric.hinesappliedwatch.com> wrote:
>
>> Marcelo,
>>
>> Despite the undisputed popularity of the Snort IDS and its rise to
>> fame
>> within both the Government and Commercial sectors, the number of real
>> Enterprise monitoring consoles available for the Snort IDS is
>> surprisingly low. You have your web-based consoles, such as ACID and
>> Demarc. These are (2) browser-based options available to you.
>>
>> Your true OS-native, cross-platform option is from Applied Watch
>> Technologies (http://www.appliedwatch.com). The Applied Watch Command
>> Center is the first truly, OS-native, cross-platform, monitoring and
>> management system for the Snort IDS; with native support for Mac,
>> Linux,
>> Unix, and Windows). The user can manage all their sensors from the
>> central console (snort.conf and rulesets), manage users, and view
>> alerts
>> separated into High, Medium, Low, and Unknown windows.
>
> Paul Schmehl (paulsutdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
>
> -----------------------------------------------------------------------
> --------
> The Lightning Console aggregates IDS events, correlates them with
> vulnerability info, reduces false positives with the click of a
> button, and distributes this information to hundreds of users.
> Visit Tenable Network Security at http://www.tenablesecurity.com to
> learn more.
> -----------------------------------------------------------------------
> --------
>
>
--
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roeschsourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

-------------------------------------------------------------------------------
The Lightning Console aggregates IDS events, correlates them with vulnerability
info, reduces false positives with the click of a button, and distributes this
information to hundreds of users.

Visit Tenable Network Security at http://www.tenablesecurity.com to learn more.
-------------------------------------------------------------------------------