Alternative Snort usage

Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
I know I am suppose to be on a little break but before I go, I want to know if anyone is running snort on Windows or using Snorby. My company *may* approve of building a small capture appliance or server soon. I know they are either going to want something that A: Runs on a familiar platform (we are a 100% windows shop) or be something that doesn't feel like a foreign platform. Snorby looks damn nice and the reporting features look to be pretty powerful. I just want to know if anyone has any experience with it or any other guis for snort.

Comments

  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I'm planning on using primarily Sguil, Squert, and Trisul but Snorby is definitely something I'm going to look at as well. Much nicer than BASE for sure.

    Although I've never ran Snort on Windows, I'm very hesitant to do so. There's too much going on in Windows that might eat up CPU cycles unnecessarily. It's hard to really build a super-lean default Windows install (Server Core is the closest thing you can get). Something is better than nothing though.

    http://blog.snort.org/2011/01/guis-for-snort.html

    Security Onion gives you the GUI, a Sguil console, etc. already packaged. I'm sure you've seen the benefits here. There's a Trisul component that you can install in Security Onion.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Trisul may be "good enough". Thanks for the tip as I had never heard of it. By the way, security onion is incredible but it is both a gift and a curse because (IMO) the amount of tools is simply overwhelming. I guess that just shows you that you need to try harder lol. Still it is a bit intimidating. I am going to install Trisul on security onion in a few minutes. There is a good guide on their site:
    Traffic and security monitoring with Trisul on Security Onion « Unleash Networks Blog

    Do you build your snort boxes completely from scratch (I know you have as I have read your blog) or do you lean towards something like security onion?
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    If possible, I build from scratch so I have the leanest possible base and component set. However, if it would take too long to get a set of tools working together when setting up an integrated system, I might go for a package like Security Onion (at least for the proof of concept stage). If I'm deploying sensors, I really don't want an X installation on there, even if I'm not using it. More code on the box means a larger exploitability surface.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Well now I have run into a problem. You wouldn't happen to know how to make a device "fail open" would ya? Otherwise we are going to go with Cisco IPS icon_sad.gif
  • SilverGeniusSilverGenius Member Posts: 56 ■■□□□□□□□□
    Are you talking about a NIC in an inline configuration? I don't think that is possible. You would have to install some sort of bypass switch to have that effect.

    EDIT:
    What about getting a card like this that has built in bypass? Interface Masters | Network Interface Card with Bypass | NICs Bypass
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Well I'm looking at source fire again. It would be dope to roll something like that out (if I can get a chance).
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    One of Sourcefire's differentiators is RNA, RUA, and QualysGuard integration (assuming you use Qualys' service). RNA gives you much better host context through passive traffic interpretation and RUA (if it can see the AD auth requests) can essentially tie a username to a particular IP address. The capabilities and network mapping is really cool. However, they don't have a whole lot of inline interface pairs unless you want to go to the higher end models. If you're doing strictly monitoring and not blocking, then you obviously double the amount of usable interfaces.

    Another downside is that they currently don't have a reputation service like some other vendors. Their sensors also don't seem like purpose-built appliances with ASICs and FPGAs (the 3D8000 series might be another story), although one could argue that in the real world it might not matter.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I am looking at the 3D class devices. I think they are purpose built devices. I really want to see if I can get the sales guy to throw in some training for me and the senior here (although he doesn't seem that interested).
Sign In or Register to comment.