Re: [Smoothsec-talk] Few new installation questions about Smooth Sec Snorby
IDS/IPS Linux distribution.
Brought to you by:
p0bailey
Menu
▾
▴
Re: [Smoothsec-talk] Few new installation questions about Smooth Sec Snorby
|
From: <ph...@ba...> - 2012-02-15 17:38:26
|
On 02/14/2012 04:55 PM, Joseph Spenner wrote: > Hello, I'm just getting started and have a few questions. > > 1) Snorby itself, as presented on http://www.snorby.org/ looks a lot > like Smooth-Sec, as presented on http://bailey.st/blog/smooth-sec/ > What is the difference between these 2 ISO images? Insta-Snorby is equipped with Snort as IDS/IPS engine, Smooth-Sec uses Suricata as IDS/IPS engine. > > 2) I read on the Snorby site that it interfaces with Snort, Suricata, > and Sagan. Does this mean I can use the snort rules I get from my > oinkmaster code? Advantages/disadvantages over using the Emerging Rules > file which appears to be part of the Smooth-Sec distro? Suricata support as well Snort rules. Snorby is the web interface, and can be plugged to any IDS/HBIDS that is compatible with the Snort standard.Using Snort or Suricata it's about tastes. > > 3) How often is that file, > http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz > updated, generally? The rules are updated on daily base. > > 4) I saw something called "Insta Snorby". Anyone know much about this? > http://www.turnkeylinux.org/forum/general/20101206/insta-snorby-official-snort-snorby-turn-key-solution If you want to use snort, go ahead with Insta-Snorby. > 5) I've had my Smooth-Sec up and running for nearly a day. I'm not > seeing anything on the Dashboard (all 3 are zero), but in the right > column under the "Last 5 Unique Events", I see items in the ET Policy > sections: > 30 of "ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)", with a > red 1 (High Severity) > 1 of "ET POLICY Suspicious inbound to Oracle SQL port 1521", with a > yellow 2 (Medium Severity) > Why don't these show up in the main screen area of the Dashboard? > Check if the Snorby worker is working and caching the events, if the Worker doesn't show up, you can start it manually with the script /root/script.utils/StartWorker > Any help would be great. > > Thanks! Peace, Phillip -- www.bailey.st IM: p0b...@ja... |
