Re: [security-onion] Snorby and Sguil seems to be giving me the same information?
854 views
Skip to first unread message
Doug Burks
Dec 29, 2012, 9:18:01 AM12/29/12
to securit...@googlegroups.com
Hi Casper,
On Saturday, December 29, 2012, wrote:
--
Doug Burks
http://securityonion.blogspot.com
Here is a quick comparison of our implementations of Snorby, Sguil, and ELSA. It's up to you to determine which interface(s) best fit your workflow and the data you're looking for.
Snorby gives you access to:
- NIDS alerts
- pivot to full transcript for TCP traffic
Sguil gives you access to:
- NIDS alerts
- HIDS alerts
- session data from PRADS
- asset data from PRADS
- transaction logs (HTTP logs from Bro)
- pivot to full packet capture from any of the above
We also have ELSA which gives you access to:
- NIDS alerts
- HIDS alerts
- session data from Bro
- asset data from Bro
- transaction logs from Bro (HTTP, FTP, SSL, etc.)
- pivot to full transcript for TCP traffic
Hope that helps!
Thanks,
Doug
On Saturday, December 29, 2012, wrote:
Hi all,
I hope you don't see me spamming this mailing list but as you may all know now im new and trying to get to know this product.
So i finally got my test enviroment op and running.
I have logged in to both Sguil and Snorby with the different accounts.
From what my fist glans tells me they both give me the same information? Ofcause presented in a different way but i actually thought they would give me differnet information..
My question is not provoke but to understand.
My question is why not just use snorby? and therefore not security onion? I fail to see now why i would want both Sguil and Snorby? My assumption was that two product would give me information in different ways but that doesn't seem to be the case when i got it running.
Sincerly
Casper
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To post to this group, send email to securit...@googlegroups.com.
To unsubscribe from this group, send email to security-onio...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
--
Doug Burks
http://securityonion.blogspot.com
Doug Burks
Dec 29, 2012, 10:25:40 AM12/29/12
to securit...@googlegroups.com
Squert is the web interface for Sguil, but it doesn't give you all the functionality of the full Sguil client. We recommend installing Security Onion in a VM on your workstation and pointing the Sguil client at your Sguil server. This gives you a local copy of the full Sguil client, Wireshark, and NetworkMiner so that you can quickly and easily pivot from an event in Sguil to viewing the full packet capture as an ASCII transcript, or sending the pcap to Wireshark or NetworkMiner.
Doug
On Saturday, December 29, 2012, wrote:
On Saturday, December 29, 2012, wrote:
Hi Doug
Nice to get that clarified!!
So Sguil is the way to get the most complete overview if you are not intrestet in the layer 7 protocols?
Do you know if there is any way to see Sguil information remote? so i don't have to log in to the server to see it? like a web interface or something the likes?
Sincerly
Casper
PS: Happy new years :)
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To post to this group, send email to securit...@googlegroups.com.
To unsubscribe from this group, send email to security-onio...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
Doug Burks
Dec 31, 2012, 9:02:10 AM12/31/12
to securit...@googlegroups.com
On Mon, Dec 31, 2012 at 1:41 AM, <casper.a...@gmail.com> wrote:
> Hi Dough,
Hi Casper,
It's "Doug", not "Dough" :)
> So could the process be as follows:
>
> You are monitoring Snorby and a alert pops up that needs attention.
>
> I then open my local VM with Security onion and from there log into my Sguil server with my Sguil Client?
Correct so far.
> In other words can i be sure all alerts no matter what they may be as long as they are security onion related will in some form appear in my Snorby web interface?
No. Look back at the comparison I gave you earlier in the thread.
There are going to be alerts that appear in Sguil that would never
appear in Snorby.
> I would prefer using Snorby as first contact. We have a couple of big screens where we monitor our clients and it would be easiest to implement another web page to that setup then to have a VM with Sguil running with all the other monitoring tools we use.
>
> Happy new years!
Happy New Year to you, too!
Thanks,
> Hi Dough,
Hi Casper,
It's "Doug", not "Dough" :)
> So could the process be as follows:
>
> You are monitoring Snorby and a alert pops up that needs attention.
>
> I then open my local VM with Security onion and from there log into my Sguil server with my Sguil Client?
Correct so far.
> In other words can i be sure all alerts no matter what they may be as long as they are security onion related will in some form appear in my Snorby web interface?
No. Look back at the comparison I gave you earlier in the thread.
There are going to be alerts that appear in Sguil that would never
appear in Snorby.
> I would prefer using Snorby as first contact. We have a couple of big screens where we monitor our clients and it would be easiest to implement another web page to that setup then to have a VM with Sguil running with all the other monitoring tools we use.
>
> Happy new years!
Happy New Year to you, too!
Thanks,
Reply all
Reply to author
Forward
0 new messages