Thursday, January 13, 2011

GUIs for Snort

I asked for people to send me topics that they'd like to learn more about in Snort, and I received a good amount of responses.  So I thought I'd get started on one of them.  (BTW - if you'd like to get our input on something Snort related for the blog, please feel free to email me at joel [at] snort.org)

Every so often (probably twice a year) there seems to be an uptick in the amount of people emailing the mailing lists asking about GUIs for Snort.  Many of them repeat offenders.  So I am guessing that either people don't know about the GUI options for Snort or people don't like the ones they have.  So let's start off with a few in alphabetical order:

BASE
BASE, the Basic Analysis and Security Engine was based off of the old ACID code codebase.  The ACID GUI interface (which is now dead, and has been for about five or six years) was a college project written by an attendee of Carnegie Mellon.  It hasn't been actively developed since about 2003.  BASE, a fork of the ACID code, picked up where the original author left off, added a bunch of new features, and made it easy to use, multi-language, and a  highly functional GUI.  There were plans for a redesign of BASE, including the database format that it reads from, but Kevin Johnson, the original BASE project manager has since left the project and turned the project over to new management.  However, it remains the most popular Snort GUI interface with over 215,000 downloads.  BASE is written in PHP, and has several dependencies.  BASE has it's own IRC channel #secureideas, although there is rarely anyone there, so most people come to the default #snort for help.

OSSIM
OSSIM, made by AlienVault stands for "Open Source Security Information Management".  Not only can it take the logs from Snort and display them in a great looking interface, but it also integrates with many other tools (p0f, arpwatch, pads, nessus, ntop, nagios, etc) for a consistant user interface.  I've personally never used this tool, but I've heard from the people that use do use it, and find it really a joy to use.

PLACID
Standing for "Phil Loathes ACID", it was originally made as a super stripped down way of simply looking at Snort Events in the Snort DB.  It has stayed that way.  There is a certain demographic of Snort users that like simple, text based interfaces, and PLACID serves that need.

SGUIL
(Pronounced "Squeel")  SGUIL started off as the "Snort GUI for Lamers".  The project, maintained by Bamm Vischer, is a multi part system consisting of a "Sensor", "Server", and "Client".  Not only is SGUIL a GUI for Snort, but it also integrates other technologies into the recording of data for use by the analyst as well (including fulltime, full packet capture).  This is a heavy weight technology, is written in TCL, and is a very well performing engine.  Most people start off with a GUI like BASE and move into SGUIL.  SGUIL also has it's own IRC channel #snort-gui.

Snorby
A relative newcomer to the Snort GUI area, Snorby uses a lot of "Web 2.0" effects and rendering providing the user with a very sharp and beautifully functioning tool.   This seems to be the current "go-to" web interface for Snort.  While it has many of the features of BASE (and a lot more, hotkeys, classifications, an iOS interface, and actual pdf reporting), and not as featured as SGUIL (in terms of architecture), it's extremely easy to deploy, looks fantastic, and functions as an alert browser very well.  Snorby's code is hosted on Github, here.  Another advantage of Snorby is that it integrates with the OpenFPC project.  Functioning similar to how SGUIL collects all information on the network using Full Packet Capture (FPC), Snorby gives you the ability to not only view the Snort alert, but also to view the alerts in context with the rest of the packet flow on the network.  Snorby's IRC channel can be found at #snorby.

SQueRT
Paul wrote in about SQueRT.  SQueRT uses the SGuil database format and is also web based.  You can see the screenshots and download it at the link above.

This is by no means complete, these are just the most common that I see people using.  If I have missed a free Snort GUI that you enjoy, please feel free to respond in the comments.  The more complete your post, the better.  Give people links to your favorite tool.

Update:  http://blog.snort.org/2011/10/comparison-of-3-popular-snort-guis.html

FirePOWER
While not free by any means, the FirePOWER system is the commercial system that we develop here at Cisco.  Not only making the administration and analysis of events from Snort (the engine embedded into FirePOWER) extremely simple, it couples hundreds of more features into an extremely complex system with a simple to understand and navigate GUI.  Made to keep large deployments simple, and small deployments even easier, this is by far, the best system made. (We're biased)  But, is not free.