Thursday, January 13, 2011

GUIs for Snort

I asked for people to send me topics that they'd like to learn more about in Snort, and I received a good amount of responses.  So I thought I'd get started on one of them.  (BTW - if you'd like to get our input on something Snort related for the blog, please feel free to email me at joel [at] snort.org)

Every so often (probably twice a year) there seems to be an uptick in the amount of people emailing the mailing lists asking about GUIs for Snort.  Many of them repeat offenders.  So I am guessing that either people don't know about the GUI options for Snort or people don't like the ones they have.  So let's start off with a few in alphabetical order:

BASE
BASE, the Basic Analysis and Security Engine was based off of the old ACID code codebase.  The ACID GUI interface (which is now dead, and has been for about five or six years) was a college project written by an attendee of Carnegie Mellon.  It hasn't been actively developed since about 2003.  BASE, a fork of the ACID code, picked up where the original author left off, added a bunch of new features, and made it easy to use, multi-language, and a  highly functional GUI.  There were plans for a redesign of BASE, including the database format that it reads from, but Kevin Johnson, the original BASE project manager has since left the project and turned the project over to new management.  However, it remains the most popular Snort GUI interface with over 215,000 downloads.  BASE is written in PHP, and has several dependencies.  BASE has it's own IRC channel #secureideas, although there is rarely anyone there, so most people come to the default #snort for help.

OSSIM
OSSIM, made by AlienVault stands for "Open Source Security Information Management".  Not only can it take the logs from Snort and display them in a great looking interface, but it also integrates with many other tools (p0f, arpwatch, pads, nessus, ntop, nagios, etc) for a consistant user interface.  I've personally never used this tool, but I've heard from the people that use do use it, and find it really a joy to use.

PLACID
Standing for "Phil Loathes ACID", it was originally made as a super stripped down way of simply looking at Snort Events in the Snort DB.  It has stayed that way.  There is a certain demographic of Snort users that like simple, text based interfaces, and PLACID serves that need.

SGUIL
(Pronounced "Squeel")  SGUIL started off as the "Snort GUI for Lamers".  The project, maintained by Bamm Vischer, is a multi part system consisting of a "Sensor", "Server", and "Client".  Not only is SGUIL a GUI for Snort, but it also integrates other technologies into the recording of data for use by the analyst as well (including fulltime, full packet capture).  This is a heavy weight technology, is written in TCL, and is a very well performing engine.  Most people start off with a GUI like BASE and move into SGUIL.  SGUIL also has it's own IRC channel #snort-gui.

Snorby
A relative newcomer to the Snort GUI area, Snorby uses a lot of "Web 2.0" effects and rendering providing the user with a very sharp and beautifully functioning tool.   This seems to be the current "go-to" web interface for Snort.  While it has many of the features of BASE (and a lot more, hotkeys, classifications, an iOS interface, and actual pdf reporting), and not as featured as SGUIL (in terms of architecture), it's extremely easy to deploy, looks fantastic, and functions as an alert browser very well.  Snorby's code is hosted on Github, here.  Another advantage of Snorby is that it integrates with the OpenFPC project.  Functioning similar to how SGUIL collects all information on the network using Full Packet Capture (FPC), Snorby gives you the ability to not only view the Snort alert, but also to view the alerts in context with the rest of the packet flow on the network.  Snorby's IRC channel can be found at #snorby.

SQueRT
Paul wrote in about SQueRT.  SQueRT uses the SGuil database format and is also web based.  You can see the screenshots and download it at the link above.

This is by no means complete, these are just the most common that I see people using.  If I have missed a free Snort GUI that you enjoy, please feel free to respond in the comments.  The more complete your post, the better.  Give people links to your favorite tool.

Update:  http://blog.snort.org/2011/10/comparison-of-3-popular-snort-guis.html

16 comments:

  1. Re Snorby,

    "While not as fully featured as BASE is, and no where near as featured as SGUIL, it's extremely easy to deploy, looks great, and functions as an alert browser very well."


    While I understand that SGUIL offers SOME functionality that Snorby does not, I am curious as to why the author believes BASE (a dead project) is in anyway more "fully-featured" than Snorby.

    If the readers want to decide for themselves and demo a live installation of Snorby 2.0 please go to https://demo.snorby.org

    username demo@snorby.org
    password snorby

    Feel free to reach out to me or Mephux on freenode on #snorby if you have any feature requests or questions.

    We'd love to add any useful BASE features you feel we are missing.

    ReplyDelete
  2. Meller,

    You are right, there are features that Snorby has that BASE does not and BASE has some that Snorby does not. I think calling BASE a "dead project" is a bit premature. But I agree it hasn't seen any development in quite a long time.

    I will add the IRC channel to the post as I have done the others.

    ReplyDelete
  3. It has been three and a half year since the last release. Base is definitely dead meat.

    ReplyDelete
    Replies
    1. Just because a release hasn't been published doesn't mean it's dead.

      Delete
  4. Anyone know of any GUI for Snort that incropore an interpreter to help the user in building rules

    ReplyDelete
    Replies
    1. I don't currently know of any aside from the Sourcefire commercial product.

      Delete
  5. Hi Joel,

    What about Activeworx Policy Manager v3, I know this software is "dead", and you can barely search and download it from the net, but I been using it to manage Snort's signatures.

    http://www.net-security.org/dl/software/idspm.v3.0.1.812.exe

    I wish someone would create a GUI to manage snorts sig and snort.conf.

    ReplyDelete
    Replies
    1. Hi mbaki,
      do you have any docs about idspm v3?
      I can't even download the snortrules snapshot...

      Delete
    2. That tool was bought out by a different company, and I think development and free distribution of the tool has stopped.

      Delete
    3. It was purchased by Tripwire and killed.

      Delete
  6. Does anybody know a light GUI to manage snort sigs and snort.conf?
    Not a text editor...

    ReplyDelete
    Replies
    1. I think this is something the community needs to consider developing. There is a very pressing need for a tool to manage rules. It wouldn't necessarily be limited to Snort rules either. It could be designed to handle things like Yara or Bro. I've had discussions in various roles where we've come to agree on a core set of metadata and other features such as IP variable management, an ability to upload pcap, and an ability to verify signatures and play them against existing pcap. But, development never really got off the ground and if it did it's unlikely the tool would've been open-sourced.

      Delete
  7. Hi All,

    pls recommend some GUI (no problem even if is a commercial), which helps in managing snort and its action on alerts (basically web based snortsam like tool)

    ReplyDelete
    Replies
    1. you can use Aanval or LOGalyze, even splunk also giving the feature to analyze the snort logs.

      Delete
  8. there is a graphical interface that serves to manage the rules?

    ReplyDelete
  9. http://sourceforge.net/projects/snortsms/
    Not maintained. PHP-CAKE based and will require slight extension to work with rules up to 2.9.6

    ~Cyber.Tao.Flow~
    dataromance.net

    ReplyDelete