What to use to report and analyse snort alerts?
-
Before I switched to pfsense, I used Sophos UTM. It is closed source, but had some nice features, in particular analysis and reporting of intrusion attempts. UTM used snort for collecting and detecting information and it had an analysis and reporting layer on top of snort. Even a few years ago, it generated reports and it was possible to query alerts to find out what addresses are attacking, what addresses are being attacked, etc. Without this capability, I find that snort is not nearly as useful as it could be. It basically fills the general log with events.
I looked on the snort wikipedia page and it lists snorby, BASE, squil and aanva as "third-party" applications. I've seen other references to squert and ELSA. The only one of these packages that appears to be under active development is aanval. aanval is not open-source, but they have a free "lite" version.
I'm interested to know what everyone is using and if anyone has tried aanval.
-
This feature (elaborate log analysis and various degrees of automation for it) is one area where open source software sometimes falls a bit short. Snorby was popular for a while, but as you mentioned I think it may no longer be as supported as it once was. Some folks I know are using an ELK stack for this kind of collection and analysis. I did use Snorby a couple of years or so back, but gave up because the virtual machine would frequently go out to lunch. Usually it would be something related to Ruby and all those "gem things" … ;). Also found updating Snorby to be a pain in the butt because of Ruby. I have never developed an affection for Ruby ... :-.
As you found, the closed-source packages are better at this automated log analysis stuff. Sorry to not be of much help. Maybe some other users can chime in with better experiences.
Bill
-
Graylog its excelent!
-
I had asked a similar question on Slack…I was advised to explore setting up ..."a SPAN/port..." and use https://securityonion.net.
Additional advice was to use "...barnyard2 to send logs to an aggregation for tuning and analysis."
I haven't followed up on the solutions but its on my list.
Good luck!
-
Graylog its excelent!
I've heard a few people recommend this now I've had similar questions as the OP myself I might have to sit down and check out Greylog some day
-
There is a free "lite" version of anvaal. I'm considering giving it a try, just have to find the time.
-
Out of interest are most of the solutions mentioned something you would run on a separate server rather than the Pfsense box ?
Or can some of them be installed (perhaps not from the default package manager) on the same box
-
Out of interest are most of the solutions mentioned something you would run on a separate server rather than the Pfsense box ?
Or can some of them be installed (perhaps not from the default package manager) on the same box
You almost certainly want to run any log analysis software on a separate box. Remember all software is likely to have some vulnerability someplace in the code. So putting lots of extra software on your firewall expands the attack surface by opening up more potential vulnerabilities for a bad guy to exploit. There is also the issue of shared common library compatibility problems as you start to install stuff that will put its own versions of libraries on the system. Remember "DLL Hell" from Windows … ;).
Most log analysis packages are likely to contain some type of database to hold either the raw data, the analysis results or both. A VMware or similar server would be a good choice. Put the log analysis package on a virtual machine by itself. Then you have isolated any potential vulnerabilities. And with a dedicated virtual machine, there is never any worry about shared library compatibility issues.
Bill
-
Speaking of Aanval. Does anyone have a guide for pfsense + Aanval on Ubuntu they'd like to share? If not I'll just dig through all the docs on Aanval wiki.
-
On Aanval,
I did try this out and found it to really be a commercial product. It was not of much use to me in the "freeware" state. In fact I would not call it freeware but instead trialware. Support is limited or non-existent for a free user.
2 cents
Bill
-
On Aanval,
I did try this out and found it to really be a commercial product. It was not of much use to me in the "freeware" state. In fact I would not call it freeware but instead trialware. Support is limited or non-existent for a free user.
2 cents
Bill
Thanks for the info. Did the free version do anything useful over and above snort in pfsense? Do you have any notes from getting it running with pfsense?
-
https://github.com/redhat-infosec/charlotte