10

BASE is an improvement over ACID, but it's easy to tell that it's maintained by someone who doesn't use it. There's no at-a-glance overview of network activity like you get with McAfee's NUBA IDS and many others, and searching for patterns is awkward and slow compared to log aggregators like Splunk.

I'm aware of a few alternatives to BASE:

  • Sguil gives a somewhat nicer view of events, but it's showing its age, and the tcl/tk interface is awkward to use on a remote set of snort sensors from a Windows desktop.

  • OSSIM provides some pretty charts, but it wants to be your top-level SIEM in a single package, and I need something more modular, configurable, and network-focused than that.

  • Snorby looks intriguing, but it's the one out of the bunch that I haven't even tried installing and using yet; the demo site hasn't worked for me from my work desktop; only at home.

Iszi
  • 26,997
  • 18
  • 98
  • 163
user502
  • 3,261
  • 1
  • 22
  • 18

3 Answers3

8

"and the demo website wouldn't let me log on, which doesn't engender extreme confidence" ouch.. I am the developer of Snorby and i'll bet 100 USD you were typing "snorby@snorby.com" (try .org). I have never had one issue with authentication or demo downtime since the launch of Snorby 2.x.x. Please make sure you verify credentials thoroughly before you post negative comments about a project to a large audience.

Aside from Snorby I would recommend Sguil. Sguil offers full packet capture, session data and numerous other powerful features. A bad UI is a small price to pay for valuable data.

mephux
  • 96
  • 2
  • 3
    I apologize for blaming the issue on snorby in a public forum without checking it from another location. You'd lose your $100 (http://i.imgur.com/luwkh.jpg), but the honor of your project remains intact; I'm editing the post to reflect that. – user502 Feb 09 '11 at 13:46
  • 2
    That's odd. I have never seen a basic-auth dialog for Snorby outside of the fullpacket capture authentication and session timeouts. (and I wrote the software.. just saying) You have something horribly wrong (client-side) and also Snorby does not support ie6,7 or 8. p.s You may want to try a more secure/feature rich browser. Snorby uses a lot of html5/css3 you are missing out. I figured most people would be using firefox or a webkit browser. I should better document that and will (thanks). – mephux Feb 11 '11 at 16:03
  • 1
    At work, I need special dispensation to install anything besides IE7. After getting that dispensation (and firefox) both demo.snorby.org and the local insta-snorby experiment seem to work perfectly. It certainly makes sense not to deal with the IE headache when developing a webapp, but a failover message about IE nonsupport on the default page would be cool. – user502 Feb 22 '11 at 20:00
  • Snorby seems to depend on versions of other programs more recent than are included in common distros' package managers. When the program is also one that's a severe dependency hell to install from source, like ImageMagick, this presents a bit of a barrier to entry. Insta-snorby is nice, but doesn't come in 64 bits, so I'm stuck back with BASE again :( – user502 Mar 29 '11 at 18:57
  • *plug* SecurityOnion is a great way to try out Snorby and many other NSM / network analysis tools. It is 64bit and if you already have Ubuntu you can use their PPAs to shortcut a full install. Main site is http://securityonion.blogspot.com/ – adric Aug 07 '13 at 13:46
1

I'm using Aanval ®. New in Aanval v7 is its unique Situational Awareness engine, which provides in-depth event and architecture analysis of the host network. In some cases it's better than BASE, it's a little SIEM, but i use it along side with BASE and Snorby.

Mohsen Gh.
  • 309
  • 2
  • 5
  • 14
0

if you have enough money in your pocket or less than 500mb (but bewar: in case of an attack and lots&lots of logfiles splunk may deactivate its parsing if you overrun your limits for a certain time)

splunk for snort

that guy from over there
  • 3,476
  • 17
  • 26