tag:blogger.com,1999:blog-13095995.post6277045423531246825..comments2022-01-12T11:52:10.866-05:00Comments on The 'S' Files: BASE and Snorby: packet capturesRShttp://www.blogger.com/profile/07368326205701250122noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-13095995.post-28346880816800199312011-07-19T20:30:06.392-04:002011-07-19T20:30:06.392-04:00Yes. Akin to how some enterprise IDS devices can ...Yes. Akin to how some enterprise IDS devices can capture packets that precede a triggered signature, so you can see what happened before the alarm (as well as configuring the device to capture packets after an alarm was triggered).<br /><br />No, BASE won't do this. It was based off of ACID, which was created quite awhile ago. ACID is pretty much dead and BASE, while not officially dead, is very quiet development-wise. A last generation tool is usually at a disadvantage when being compared to something that is more current. What BASE did was break ground for future security event managers.<br /><br />Everything else you mention compares pretty well with any similar solution, was well as your comments about tuning rulesets. A SEM isn't worth crap if the IDS's rulebase isn't tuned to the environment that the IDS is monitoring.<br /><br />You guys make any headway on querying? I'll check it's progress as soon as I've some free cycles.RShttps://www.blogger.com/profile/07368326205701250122noreply@blogger.comtag:blogger.com,1999:blog-13095995.post-3452942789701206942011-05-17T16:29:44.681-04:002011-05-17T16:29:44.681-04:00LOL I am not sure if this a troll or not, but here...LOL I am not sure if this a troll or not, but here goes...<br /><br />By "full packet capture" we are talking about being able to review an entire PCAP (not just the single payload packet) to analyze what happened before and after the alert fired. Snorby achieves this functionality by providing an integrated front-end to OpenFPC which in turn leverages DameonLogger (both need to be installed)<br /><br />This integration allows the analyst (without having to SSH to a box) to actually confirm through surrounding context whether or not a system was compromised instead of having to make assumptions.<br /><br />Snorby's end goal isn't about being a front-end for one IDS it's about giving analysts what they need to properly validate compromise (even beyond network data)<br /><br />We encourage that user's tune ruleset's so that the amount of false positives in the console are kept to an absolute minimum. If you find that rules are firing and >50% of the time they are FP, it may be time to adjust the rule or retire it. A noisy IDS will fatigue and frustrate analysts.Mellerhttps://www.blogger.com/profile/05620982165912858298noreply@blogger.com