Author Topic: Snorby or equivalent  (Read 8585 times)

nebula

  • Newbie
  • *
  • Posts: 6
    • View Profile
on: June 18, 2013, 11:50:01 PM
Would love to have a snort frontend (most appreciated "Snorby") build in the repo.

Thx,



ZEROF

  • Hero Member
  • *****
  • Posts: 1247
    • View Profile
    • Pen Tester
Reply #1 on: June 19, 2013, 12:34:30 AM
Hi nebula,

Do you know what this tool actually do ? Do you think that we need to protect BackBox :) ?

This tool is good for system administrators, and have nothing about testing system security. BackBox is made for penetration testing, not watching, but like you (i guess) i like tools to help me on my daily job.

And before you install this app, you need to install :

Snort or Suricata  or Sagan
GIT
Ruby ~> 1.9.2
Rails ~> 3.0.0
ImageMagick ~> 6.6.4
Wkhtmltopdf  

And from i can see, you can install this app from git (git clone url to aplication). What i think about this app, it's just great to have it and if you have time, make tutorial how to use this app with BackBox. Share with us your experience.
« Last Edit: June 19, 2013, 12:42:39 AM by ZEROF »


Don't ask, read : http://wiki.backbox.org
or just run sudo rm -rf /*


nebula

  • Newbie
  • *
  • Posts: 6
    • View Profile
Reply #2 on: June 21, 2013, 11:41:50 PM
Snort is a very useful tool, well, snorby is more of a intrusion detection, but nevertheless. In some cases you want to see everything on a network, or in-between 2 points.

However, heres a script that makes the install process easy as 123.
https://github.com/da667/Autosnort

The script contains everything for "snort", "barnyard2" , "base", "snorby" and "aanval".

As of today the latest release was Friday, June 14, 2013.
Rgds,
« Last Edit: June 21, 2013, 11:45:53 PM by nebula »



b4sil

  • Newbie
  • *
  • Posts: 6
    • View Profile
Reply #3 on: September 30, 2013, 01:35:50 PM
I agree nebula on this topic.

Actually, besides penetration testing, there should be more tools to investigate any incident related stuff.

For example i always install IDS and a logmanagement tool such as splunk in my pentest distro. It is handy to dealing with huge amount of logs during your security incident research.

for example you can send your 30gb log to your ids with package reply tool to reduce your sample space when analyzing the signatures etc regarding the results of ids alerts.

Of course this is a matter of strategy of the distro itself to make this decision to stay only pentesting distro or enlarge as a whole security distro