Monthly Archive for February, 2010

I have recently been doing a fair bit of work trying to find a replacement for my Acid/BASE frontend of Snort. This has been proving somewhat difficult, the closest I have come to a usable solution was modifying Splunk to use custom filters etc, however, although Splunk is an incredibly powerful analysis tool, it seems to be somewhat overkill for just monitoring Snort events. I’d like to point out that I hold no gripes with the Sguil/BASE development, they are great tools, just under-developed! (I know Bamm has recently said he will continue development on Sguil once more, however I will wait to see that his promise comes to fruition before delving further)

After playing around with various options, and test environments I was getting fed up with clunky interfaces and over-complicated scenarios when I happened to come across Snorby…

Snorby, as described by @mephux, is a new and modern Snort IDS front-end. The basic fundamental concepts behind Snorby are simplicity and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.

After downloading a recently created VMware appliance with a configured version of Snort, Barnyard, Apache (or maybe webrick I can’t quite remember) and Snorby all ready to go, I was eager to get it running and hammer it with some traffic. I had some initial issues binding to the NIC in my VM as I was using a host only vmnet and the default install comes pre-configured with a static IP and for some unknown reason was scripted to bring up eth0 however in my VM the only NIC available was eth1. No problem, I just changed the /etc/network/interfaces file to reflect my changes and get an address via dhcp. The snorby startup script is configured to bind to all available interfaces and works out of the box.

Now came the fun bit. After modifying the snort.conf file to reflect the NIC changes and bind to the correct interface I sent it some nmap port scanning activity and a few random metasploit payloads to generate some alerts. All seemed well and now came the time to view the hits using Snorby. First impressions upon loading the interface were great – finally, a Snort frontend that actually looks great! A look at a typical dashboard layout seems to have potential & plenty of eye-candy!

So far I am incredibly excited about the prospects this has, it is written in ruby, is completely open source and is, well, damn sexy! I hope Dustin continues development and I have offered my help in the project as I really would like to see this take off and go on to high places, it certainly has the potential to be something big.