Thursday, April 14, 2011

BASE and Snorby: packet captures

Noticed that someone on the interwebz stated that Snorby captures full payload while BASE doesn't.  I read this as a comment on the Snorby pages.  Unless I'm totally off-base here, that's not the case, unless they're taking about something like netflows or something akin to it.  I believe one of the dev guys stated that only Snorby and Sguil offer full packet capturing.  That does NOT sound right and I believe he should clarify.

I'll dig up the link later, but it should be very apparent on their pages (it was to me, when I was perusing).

So, I pulled up my BASE console and looked at a sample packet.  To look at payload/packets within BASE, you go to a line item then click on the "ID", which would look akin to "2-278900". 

BASE capture view:


Snorby capture view:

Now, I don't see either lacking in that regard.  This is enough for the analyst to determine a false positive vs. a real attack/concern.

Now, if I wanted to further investigate, I can (in BASE), go to a listing, then click the offending IP (or the other IP...doesn't matter).  Then I click "Unique alerts" or "Unique IP links" under "Summary Statistics":

 
Unique alerts
This is basic stuff here.  It shows the history of that particular IP...it shows everything that was ever recorded from that IP, and you can dig down from there.  Source/Destination would show bidirectional traffic between the offending IP and whatever it was communicating with.  I'll get payload every time, IF (BIG IF HERE) the Snort signature is designed to capture payload and if the traffic even has payload.

I don't understand the argument of saying that BASE doesn't capture full payload.  Of course, BASE won't.  It's just a SEM.  Snort would actually do the capturing.  It would also totally depend on who sets up Snort and their requirements.  The admin that configures Snort may not even have all the sigs enabled.  But, BASE will show any payload that Snort does capture.

At this point, Snorby's search and analytical functionality is lacking.  I've said this before and got ridiculed by one of the Snorby developers.  We all know Snorby is relatively new when comparing it to BASE, but until the Snorby dev team enables better query functionality and better ways to quickly track activity, I'm going to stick to my guns.  A pretty (and even simplified) interface is one thing, but when it comes to the meat and potatoes, candy apples doesn't cut it.  As an analyst, I'd not want to lose any type of query features, as this will make a sometimes frustrating job all the more frustrating (been there, done that).

Lastly, I will NOT HAVE A PISSING MATCH over this.  I've been doing such comparisons for YEARS and am fully capable of judging what is acceptable and what is not regarding most security tools (that's why I get paid the big bucks), although I'm always objective in my opinions.  I definitely know what "best of breed" entails.  I'm going to put it out there:  Snorby is NOT best of breed.  I'd love it to be, but right now, it is NOT.  It has to help me sort/organize/filter information that helps me catch malware and such...much more that what it currently offers.  Right now, with Snorby, there's no such thing as digging down or simplifying the search through thousands of potentially bad security events.  "Packet capture options/Customer" isn't going to cut it.  It is good for the small investigation but not for the bigger tasks.  Let's be grown-ups about this topic and offer objective opinions.  If you can't do that, don't even try to leave some nasty comment on this blog.  Comments moderation is enabled.  Yes, I do require clarification on what is considered "full payload analysis", as I feel that's not enough of a description and could actually be relating to something else entirely different that the above (I doubt it, though).

2 comments:

Meller said...

LOL I am not sure if this a troll or not, but here goes...

By "full packet capture" we are talking about being able to review an entire PCAP (not just the single payload packet) to analyze what happened before and after the alert fired. Snorby achieves this functionality by providing an integrated front-end to OpenFPC which in turn leverages DameonLogger (both need to be installed)

This integration allows the analyst (without having to SSH to a box) to actually confirm through surrounding context whether or not a system was compromised instead of having to make assumptions.

Snorby's end goal isn't about being a front-end for one IDS it's about giving analysts what they need to properly validate compromise (even beyond network data)

We encourage that user's tune ruleset's so that the amount of false positives in the console are kept to an absolute minimum. If you find that rules are firing and >50% of the time they are FP, it may be time to adjust the rule or retire it. A noisy IDS will fatigue and frustrate analysts.

RS said...

Yes. Akin to how some enterprise IDS devices can capture packets that precede a triggered signature, so you can see what happened before the alarm (as well as configuring the device to capture packets after an alarm was triggered).

No, BASE won't do this. It was based off of ACID, which was created quite awhile ago. ACID is pretty much dead and BASE, while not officially dead, is very quiet development-wise. A last generation tool is usually at a disadvantage when being compared to something that is more current. What BASE did was break ground for future security event managers.

Everything else you mention compares pretty well with any similar solution, was well as your comments about tuning rulesets. A SEM isn't worth crap if the IDS's rulebase isn't tuned to the environment that the IDS is monitoring.

You guys make any headway on querying? I'll check it's progress as soon as I've some free cycles.