ListArc » English » Computer and Internet » Oisf-users » Suricata-GUI


Suricata-GUI


22-06-2010 06:35 PM
1


Hello dear list,

Can we use a GUI with Suricata IPS, to show results

if yes, how and what is the best one ?



Regards.


22-06-2010 06:43 PM
2


You can use anything that will take output from barnyard or can handle
unified/unified2 output natively. These tend to be the most popular
ones I think, although I'm sure there are many more.

http://base.secureideas.net/
http://snorby.org/
http://sguil.sourceforge.net/

Regards,

Will

> Hello dear list,
>
> Can we use a GUI with Suricata IPS, to show results
>
> if yes, how and what is the best one ?
>
>
>
> Regards.
>
> _______________________________________________
___________________________________________________

Posted on the Oisf-users mailing list. Go to http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users to subscribe.


22-06-2010 07:10 PM
3


Yes they do. But you can use barnyard/barnyard2 to feed the respective
databases using the unified/unifed2 output from suricata.

Regards,

Will

On Tue, Jun 22, 2010 at 10:13 AM, Martin Spinassi
> On Tue, 2010-06-22 at 09:43 -0500, Will Metcalf wrote:
>> You can use anything that will take output from barnyard or can handle
>> unified/unified2 output natively.  These tend to be the most popular
>> ones I think, although I'm sure there are many more.
>>
>> http://base.secureideas.net/
>> http://snorby.org/
>> http://sguil.sourceforge.net/
>>
>> Regards,
>>
>> Will
>
> Will,
>
> AFAIK, those gui tools needs a database to gather Suricata's statistics,
> but suricata works with plain logs, not with a db, am I right?
>
>
> Regrads,
>
> Martin
>
>
_______________________________________________
___________________________________________________

Posted on the Oisf-users mailing list. Go to http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users to subscribe.


22-06-2010 07:13 PM
4


On Tue, 2010-06-22 at 09:43 -0500, Will Metcalf wrote:
> You can use anything that will take output from barnyard or can handle
> unified/unified2 output natively. These tend to be the most popular
> ones I think, although I'm sure there are many more.
>
> http://base.secureideas.net/
> http://snorby.org/
> http://sguil.sourceforge.net/
>
> Regards,
>
> Will

Will,

AFAIK, those gui tools needs a database to gather Suricata's statistics,
but suricata works with plain logs, not with a db, am I right?


Regrads,

Martin

_______________________________________________
___________________________________________________

Posted on the Oisf-users mailing list. Go to http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users to subscribe.


22-06-2010 08:22 PM
5


Please, can u guide, where can i find the Install solution ? (with Suricata)


Thank you.


> Yes they do. But you can use barnyard/barnyard2 to feed the respective
> databases using the unified/unifed2 output from suricata.
>
> Regards,
>
> Will
>
> On Tue, Jun 22, 2010 at 10:13 AM, Martin Spinassi
> > On Tue, 2010-06-22 at 09:43 -0500, Will Metcalf wrote:
> >> You can use anything that will take output from barnyard or can handle
> >> unified/unified2 output natively. These tend to be the most popular
> >> ones I think, although I'm sure there are many more.
> >>
> >> http://base.secureideas.net/
> >> http://snorby.org/
> >> http://sguil.sourceforge.net/
> >>
> >> Regards,
> >>
> >> Will
> >
> > Will,
> >
> > AFAIK, those gui tools needs a database to gather Suricata's statistics,
> > but suricata works with plain logs, not with a db, am I right?
> >
> >
> > Regrads,
> >
> > Martin
> >
> >
>


22-06-2010 09:57 PM
6


Any of the available on-line guides for snort should work for us.
Instead of pointing barnyard/barnyard2 at a snort output directory
containing unified and unified2 files you can point it at a suricata
output directory containing unified/unified2 output.

Regards,

Will

> Please, can u guide, where can i find the Install solution ? (with Suricata)
>
>
> Thank you.
>
>>
>> Yes they do. But you can use barnyard/barnyard2 to feed the respective
>> databases using the unified/unifed2 output from suricata.
>>
>> Regards,
>>
>> Will
>>
>> On Tue, Jun 22, 2010 at 10:13 AM, Martin Spinassi
>> > On Tue, 2010-06-22 at 09:43 -0500, Will Metcalf wrote:
>> >> You can use anything that will take output from barnyard or can handle
>> >> unified/unified2 output natively.  These tend to be the most popular
>> >> ones I think, although I'm sure there are many more.
>> >>
>> >> http://base.secureideas.net/
>> >> http://snorby.org/
>> >> http://sguil.sourceforge.net/
>> >>
>> >> Regards,
>> >>
>> >> Will
>> >
>> > Will,
>> >
>> > AFAIK, those gui tools needs a database to gather Suricata's statistics,
>> > but suricata works with plain logs, not with a db, am I right?
>> >
>> >
>> > Regrads,
>> >
>> > Martin
>> >
>> >
>
>
_______________________________________________
___________________________________________________

Posted on the Oisf-users mailing list. Go to http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users to subscribe.


23-06-2010 01:57 PM
7


On 06/22/2010 04:43 PM, Will Metcalf wrote:
> You can use anything that will take output from barnyard or can handle
> unified/unified2 output natively. These tend to be the most popular
> ones I think, although I'm sure there are many more.
>
> http://base.secureideas.net/
> http://snorby.org/
> http://sguil.sourceforge.net/
>

Hi,

I'd also add that you can Prelude (as a SIEM) since Suricata has native
support, and have Prewikka for interface.

Pierre

>
>> Hello dear list,
>>
>> Can we use a GUI with Suricata IPS, to show results
>>
>> if yes, how and what is the best one ?
>>
>>
>>
>> Regards.
>>
>> _______________________________________________
___________________________________________________

Posted on the Oisf-users mailing list. Go to http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users to subscribe.


23-06-2010 02:32 PM
8


Thank you Will, Brant, i'll do it,

thank you Pierre,
Can you explain to me in french :) ?



Anas


> On 06/22/2010 04:43 PM, Will Metcalf wrote:
> > You can use anything that will take output from barnyard or can handle
> > unified/unified2 output natively. These tend to be the most popular
> > ones I think, although I'm sure there are many more.
> >
> > http://base.secureideas.net/
> > http://snorby.org/
> > http://sguil.sourceforge.net/
> >
>
> Hi,
>
> I'd also add that you can Prelude (as a SIEM) since Suricata has native
> support, and have Prewikka for interface.
>
> Pierre
>
> >
> >> Hello dear list,
> >>
> >> Can we use a GUI with Suricata IPS, to show results
> >>
> >> if yes, how and what is the best one ?
> >>
> >>
> >>
> >> Regards.
> >>
> >> _______________________________________________
___________________________________________________

Posted on the Oisf-users mailing list. Go to http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users to subscribe.


06-07-2010 04:09 PM
9


I think the first thing to install is the database, But there is not a
script to create tables, as Snort !!
and no "*# output alert_unified: filename snort.alert, limit 128
*
* # output log_unified: filename snort.log, limit 128*
in suricata.yaml we don't have any reference !
or we do not need to indicatate this,files are alreday unfied.2

Also to get Barnyard's Output

- *Log_acid_db :* type de base de données (MySQL)
- *Database :* nom de la base de données de Snort (snort)
- *Server :* nom du serveur (localhost)
- *User :* nom d’utilisateur pour la connexion à la base de données Snort

- *Password :* mot de passe associé
- *Detail :* niveau de detail (full)

I should have alreday a Database !!
so waht is it's structure !!!

thanks.

Anas


> I would recommend starting with BASE from
>
> >> http://base.secureideas.net/
>
> Follow the documentation from there and get the web pages to load (of
> course, there won't be any information in them).
>
> That will be a start. Once you get that installed, write back and we can
> give you some pointers for getting Barnyard working with Suricata.
>
> See yas!
> ~Brant
>
>
>
>> Please, can u guide, where can i find the Install solution ? (with
>> Suricata)
>>
>>
>> Thank you.
>>
>>
>> Yes they do. But you can use barnyard/barnyard2 to feed the respective
>>> databases using the unified/unifed2 output from suricata.
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> On Tue, Jun 22, 2010 at 10:13 AM, Martin Spinassi
>>> > On Tue, 2010-06-22 at 09:43 -0500, Will Metcalf wrote:
>>> >> You can use anything that will take output from barnyard or can handle
>>> >> unified/unified2 output natively. These tend to be the most popular
>>> >> ones I think, although I'm sure there are many more.
>>> >>
>>> >> http://base.secureideas.net/
>>> >> http://snorby.org/
>>> >> http://sguil.sourceforge.net/
>>> >>
>>> >> Regards,
>>> >>
>>> >> Will
>>> >
>>> > Will,
>>> >
>>> > AFAIK, those gui tools needs a database to gather Suricata's
>>> statistics,
>>> > but suricata works with plain logs, not with a db, am I right?
>>> >
>>> >
>>> > Regrads,
>>> >
>>> > Martin
>>> >
>>> >
>>>
>>
>>
>> _______________________________________________
___________________________________________________

Posted on the Oisf-users mailing list. Go to http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users to subscribe.