-
Notifications
You must be signed in to change notification settings - Fork 225
What and Why of Snorby
Snorby is a front end web application (scripted in Ruby on Rails) for any application that logs events in the unified2 binary output format.
It is important to understand that Snorby is a front end for other applications, and that the administration of your Intrusion Detection System (IDS) (ie.: Snort, Saga, Suricata), will not always be done through the Snorby interface. It is important that you become familiar with the underlying IDS for proper tuning and updating.
It's a beautiful front-end that is, most importantly, functional! We're not trash talking here, but there's only two front-ends that have proven themselves to keep up with network forensics and be a leader in incident response (for our hard-core users that like a scripting language called TCL, please see the SGUIL project http://sguil.sourceforge.net/ written by Bamm Visscher).
Snorby now supports OpenFPC, the capability to have a full transcript of the network traffic. This enables an analyst to be able to see the entire conversation surrounding an attack. With typical IDS solutions, you see only around 300 bytes of the traffic. That's hard to determine if compromise actually occurred, now isn't it? There's a good book written by Richard Bejlitch called "The Tao of Network Security Monitoring" that describes why Full Packet Capture is advantageous.