|
Home > Archive > Snort > September 2004 > [Snort-users] Snort Tool Evaluation
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[Snort-users] Snort Tool Evaluation
|
|
|
| Hi
Is there anyone out there who has done an evaluation of tools designed
to work with Snort. eg Which ones work well? Which ones give lots of
trouble? Which ones are really useful, doesn't do what they claim to
do? Or why is the one better than the other?
Thanks
Jo
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Harper, Patrick 2004-09-28, 8:03 am |
| Works with snort in what way? Rule updates? Alert viewing? Database
logging? ...?
=20
-----Original Message-----
From: Jo [mailto:g01j2027@campus.ru.ac.za]=20
Sent: Tuesday, September 28, 2004 5:55 AM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] Snort Tool Evaluation
Hi
Is there anyone out there who has done an evaluation of tools designed
to work with Snort. eg Which ones work well? Which ones give lots of
trouble? Which ones are really useful, doesn't do what they claim to
do? Or why is the one better than the other?
Thanks
Jo
=20
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....t=3Dsnort-users
Disclaimer:
This electronic message, including any attachments, is confidential and int=
ended solely for use of the intended recipient(s). This message may contain=
information that is privileged or otherwise protected from disclosure by a=
pplicable law. Any unauthorized disclosure, dissemination, use or reproduct=
ion is strictly prohibited. If you have received this message in error, ple=
ase delete it and notify the sender immediately.=20
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Jose Maria Lopez 2004-09-28, 5:47 pm |
| El mar, 28 de 09 de 2004 a las 12:55, Jo escribi=C3=B3:
> Hi
>=20
> Is there anyone out there who has done an evaluation of tools designed
> to work with Snort. eg Which ones work well? Which ones give lots of
> trouble? Which ones are really useful, doesn't do what they claim to
> do? Or why is the one better than the other?
>=20
> Thanks
>=20
> Jo
I like ACID, oinkmaster and barnyard.
--=20
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPA=C3=91A
The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Ty Bodell 2004-09-28, 5:47 pm |
| Jo--
Checkout the book "Managing Security with Snort and IDS Tools". It's
an Oreilly book and it goes over a good amount of the tools designed
for snort. From preprocessors to Web interfaces and Consoles, what
works with High Bandwidth deployments, etc. I don't believe it covers
OpenAanval though. You can extract the pro's and cons from there.
Cheers,
Ty Bodell
On 28 Sep 2004 12:55:15 +0200, Jo <g01j2027@campus.ru.ac.za> wrote:
> Hi
>
> Is there anyone out there who has done an evaluation of tools designed
> to work with Snort. eg Which ones work well? Which ones give lots of
> trouble? Which ones are really useful, doesn't do what they claim to
> do? Or why is the one better than the other?
>
> Thanks
>
> Jo
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> ________________________________________
_______
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists...nfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf....ist=snort-users
>
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Dirk Geschke 2004-09-28, 5:47 pm |
| Hi Ty,
> Checkout the book "Managing Security with Snort and IDS Tools". It's
> an Oreilly book and it goes over a good amount of the tools designed
> for snort. From preprocessors to Web interfaces and Consoles, what
> works with High Bandwidth deployments, etc. I don't believe it covers
> OpenAanval though. You can extract the pro's and cons from there.
did you read this book? I just did this and it is by far the uggliest
book I have seen either by O'Reilly or covering snort.
If you read the documentation which comes with snort you will get
better informations than this book will give you.
If you are looking for a good book then take
Snort 2.1 Intrusion Detection, Second Edition ISBN 1-931836-04-3
by Brian Caswell and Jay Beale
(Ok, I didn't read this book but the first edition covering snort-2.0
and this book was quite useful. So I expect the second edition will be too.)
Best regards
Dirk
PS: There are more books on snort available but I read this two books.
So I can't say anything to the other ones. They might be good or not but
the O'Reilly book is definitively not useful.
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjourn...guidepromo.tmpl
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Ty Bodell 2004-09-29, 2:56 am |
| Mr. Geschke--
I did read this book actually, and I'm not proclaiming it's a bible or
anything. In fact, it's little more than a tool reference, listing
switches to the tools and options in the interfaces for third party
tools related to snort. But, it does cover a majority of the tools
and this was why I was suggesting this to Jo. To get a handle on the
tools mentioned in this book related to snort and extract pro's and
con's for using each one.
I also did read Snort 2.1 Intrustion Detection Second Edition Upgrade
and yes, I must concurr with and second your opinion. There is no
better reference or doc that covers snort in all the ways that an
admin needs to know.
Best,
Ty Bodell
On Tue, 28 Sep 2004 21:06:38 +0200, Dirk Geschke <dirk_geschke@genua.de> wrote:
> Hi Ty,
>
>
> did you read this book? I just did this and it is by far the uggliest
> book I have seen either by O'Reilly or covering snort.
>
> If you read the documentation which comes with snort you will get
> better informations than this book will give you.
>
> If you are looking for a good book then take
>
> Snort 2.1 Intrusion Detection, Second Edition ISBN 1-931836-04-3
> by Brian Caswell and Jay Beale
>
> (Ok, I didn't read this book but the first edition covering snort-2.0
> and this book was quite useful. So I expect the second edition will be too.)
>
> Best regards
>
> Dirk
>
> PS: There are more books on snort available but I read this two books.
> So I can't say anything to the other ones. They might be good or not but
> the O'Reilly book is definitively not useful.
>
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjourn...guidepromo.tmpl
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Dirk Geschke 2004-09-29, 2:56 am |
| Hi Ty,
> I did read this book actually, and I'm not proclaiming it's a bible or
> anything. In fact, it's little more than a tool reference, listing
> switches to the tools and options in the interfaces for third party
> tools related to snort. But, it does cover a majority of the tools
> and this was why I was suggesting this to Jo. To get a handle on the
> tools mentioned in this book related to snort and extract pro's and
> con's for using each one.
but even this is not a good survey at all. Only ACID and SnortCenter
are mentioned in some more detail. But most of it covers the topic
how to install it and the basic usage. There are better guides for
free out there.
The really interesting parts like performance optimization or for
example how to use ACID effectively are missing ob by far too short.
The additional tools for snort IDS management in chapter 12 are =
mostly only mentioning additional tools mostly with a screenshot =
and covering less than a page for each tools. It does not mention
any advantages or disadvantages of the tools at all. This is not
really useful except that the tools where mentioned...
The author does not even mention the memory mapped version
of libpcap for linux. The usage of taps for monitoring a
network are limited to one sentence where the existense is
stated.
The set of rule options is incomplete and not mentioning newer
ones like byte_test, byte_jump, isdataat, distance, within,....
The given rule options are as precisely as the manual coming with =
snort. So if you don't understand them then this doesn't help you
in any sense.
The recommendation for most rules and preprocessors are to =
disable them if they generate too much false-positive
Or really funny are the lists where rules are disabled and
how to do this, simply put a # at the beginning of a line.
But showing 30 lines with an disabled default flow-portscan
prepocessor like this is really a waste of paper:
---
=2E.. This preprocessor is disabled by default (it can still be
considered as test code). The lines will look something like
this:
# preprocessor flow-portscan: \
# talker-sliding-scale-factor 0.50 \
# talker-fixed-threshold 30 \
# talker-sliding-threshold 30 \
# talker-sliding-window 20 \
# talker-fixed-window 30 \
# scoreboard-rows-talker 30000 \
# server-watchnet [10.2.0.0/30] \
# server-ignore-limit 200 \
# server-rows 65535 \
# server-learning-time 14400 \
# server-scanner-limit 4 \
# scanner-sliding-window 20 \
# scanner-sliding-scale-factor 0.50 \
# scanner-fixed-threshold 15 \
# scanner-sliding-threshold 40 \
# scanner-fixed-window 15 \
# scoreboard-rows-scanner 30000 \
# src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
# dst-ignore-net [10.0.0.0/30] \
# alert-mode once \
# output-mode msg \
# tcp-penalties on
---
This is what I call ugly. And the whole other parts are similar
like this, there are many printings of default snort.conf passages
and so on.
Or disabling all preprocessors and rules which would look for traffic
which could not pass a firewall is really ugly. Or can you ensure that
a firewall work perfect without any errors? =
=
> I also did read Snort 2.1 Intrustion Detection Second Edition Upgrade
> and yes, I must concurr with and second your opinion. There is no
> better reference or doc that covers snort in all the ways that an
> admin needs to know.
Oh, I think there are more good books on snort out there but the
O'Reilly book is definitively not a good one. I don't understand
O'Reilly here, normally they have very good books and most of the
time - like this time - I buy their books blindly. This one is not
worse the money...
Best regards
Dirk
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjourn...guidepromo.tmpl
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| M Shirk 2004-09-29, 7:57 pm |
| I too own the Snort 2.0 book, and I would ask Brian Caswell if there are
plans for a 2.2 or a 2.3 book?
There are differences between 2.0 and 2.1, but not enough to get the 2.1
book. However, I could be enticed to get the 2.3 with all of the updated
rule options
When I had a question about newer options in Snort 2.1 I was told to:
RTFM at http://www.snort.org
I was delighted to see that the snort manual had the latest rule options.
The information at http://www.snort.org is enough to get a sensor up and
running in no time
(and of course if you can not follow Patrick Harpers guides, then you should
consider a new career in basket weaving).
Shirkdog
>From: Dirk Geschke <Dirk_Geschke@genua.de>
>To: Ty Bodell <tebodell@gmail.com>
>CC: Jo <g01j2027@campus.ru.ac.za>, snort-users@lists.sourceforge.net
>Subject: Re: [Snort-users] Snort Tool Evaluation
>Date: Tue, 28 Sep 2004 21:06:38 +0200
>
>Hi Ty,
>
>
>did you read this book? I just did this and it is by far the uggliest
>book I have seen either by O'Reilly or covering snort.
>
>If you read the documentation which comes with snort you will get
>better informations than this book will give you.
>
>If you are looking for a good book then take
>
>Snort 2.1 Intrusion Detection, Second Edition ISBN 1-931836-04-3
>by Brian Caswell and Jay Beale
>
>(Ok, I didn't read this book but the first edition covering snort-2.0
>and this book was quite useful. So I expect the second edition will be
>too.)
>
>Best regards
>
>Dirk
>
>PS: There are more books on snort available but I read this two books.
>So I can't say anything to the other ones. They might be good or not but
>the O'Reilly book is definitively not useful.
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
>Use IT products in your business? Tell us what you think of them. Give us
>Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
>http://productguide.itmanagersjourn...guidepromo.tmpl
> ________________________________________
_______
>Snort-users mailing list
>Snort-users@lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists...nfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf....ist=snort-users
________________________________________
_________________________
On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjourn...guidepromo.tmpl
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
|
|
|
|
|