What to use to report and analyse snort alerts?

rlrobs

Graylog its excelent!

Velcro

I had asked a similar question on Slack…I was advised to explore setting up ..."a SPAN/port..." and use https://securityonion.net.

Additional advice was to use "...barnyard2 to send logs to an aggregation for tuning and analysis."

I haven't followed up on the solutions but its on my list.

Good luck!

JasonAU

@rlrobs:

Graylog its excelent!

I've heard a few people recommend this now I've had similar questions as the OP myself I might have to sit down and check out Greylog some day

bimmerdriver

There is a free "lite" version of anvaal. I'm considering giving it a try, just have to find the time.

JasonAU

Out of interest are most of the solutions mentioned something you would run on a separate server rather than the Pfsense box ?

Or can some of them be installed (perhaps not from the default package manager) on the same box

bmeeks

@JasonAU:

Out of interest are most of the solutions mentioned something you would run on a separate server rather than the Pfsense box ?

Or can some of them be installed (perhaps not from the default package manager) on the same box

You almost certainly want to run any log analysis software on a separate box.  Remember all software is likely to have some vulnerability someplace in the code.  So putting lots of extra software on your firewall expands the attack surface by opening up more potential vulnerabilities for a bad guy to exploit.  There is also the issue of shared common library compatibility problems as you start to install stuff that will put its own versions of libraries on the system.  Remember "DLL Hell" from Windows …  ;).

Most log analysis packages are likely to contain some type of database to hold either the raw data, the analysis results or both.  A VMware or similar server would be a good choice.  Put the log analysis package on a virtual machine by itself.  Then you have isolated any potential vulnerabilities.  And with a dedicated virtual machine, there is never any worry about shared library compatibility issues.

Bill

repomanz

Speaking of Aanval.  Does anyone have a guide for pfsense + Aanval on Ubuntu they'd like to share? If not I'll just dig through all the docs on Aanval wiki.

tfirew

On Aanval,

I did try this out and found it to really be a commercial product. It was not of much use to me in the "freeware" state. In fact I would not call it freeware but instead trialware. Support is limited or non-existent for a free user.

2 cents

Bill

bimmerdriver

@tfirew:

On Aanval,

I did try this out and found it to really be a commercial product. It was not of much use to me in the "freeware" state. In fact I would not call it freeware but instead trialware. Support is limited or non-existent for a free user.

2 cents

Bill

Thanks for the info. Did the free version do anything useful over and above snort in pfsense? Do you have any notes from getting it running with pfsense?

lindsay

https://github.com/redhat-infosec/charlotte