Snort IDS help...

[Rogue]

Is there any kind of GUI interface that anyone has made to permit changes to rules when using Snort as an IDS? Any assistance would be greatly appreciated.

 

[n0cmonkey]

A GUI for editting the rules themselves or importing new rules and removing others?

A coworker was looking at something that looked like it helped you modify rules, but I didn't pay too much attention. Oinkmaster might provide a web-based tool, but I'm not positive.

 

[Rogue]

I just installed Oinkmaster and got it to download new rules and parse them, but it doesn't really provide a GUI interface to modify rules like I was hoping. Plus, I can't seem to get to the Oinkmaster web pages on Sourceforge.

 

[n0cmonkey]

There is a syntax file for editing snort rules in vim.
Here is a link to oinkmaster.
SnortCenter looks promising.

 

[n0cmonkey]

Originally posted by: Rogue
I just installed Oinkmaster and got it to download new rules and parse them, but it doesn't really provide a GUI interface to modify rules like I was hoping. Plus, I can't seem to get to the Oinkmaster web pages on Sourceforge.

The oinkmaster page works for me. Check out snortcenter, it looks exactly like what you are looking for.

GUI tools are teh sux0r though.

 

[Rogue]

SnortCenter is exactly what I was looking for I think. Let me get it installed and see what comes of it. I'm a kind of a Linux noob and I'm working on saving the government some money by setting up an internal IDS using Snort rather than spending thousands of dollars needlessly. Since this is the first time I've really installed Linux and Snort, I need something to get me started, then I can start using emacs, etc. to config things a little better. Mind if I PM occasionally for assistance?

 

[n0cmonkey]

Originally posted by: Rogue
SnortCenter is exactly what I was looking for I think. Let me get it installed and see what comes of it. I'm a kind of a Linux noob and I'm working on saving the government some money by setting up an internal IDS using Snort rather than spending thousands of dollars needlessly. Since this is the first time I've really installed Linux and Snort, I need something to get me started, then I can start using emacs, etc. to config things a little better. Mind if I PM occasionally for assistance?

You can. I'm subscribing to the thread too, so if you want to make the questions more public (for others to be able to read and help out) that can work too.

I've never used snortcenter, so I can't add much about it really. I have setup snort and acid on a number of machines at home over the past couple of years.

Snort is a good choice, but it really isn't my favorite IDS. I'll rank it over a lot of commercial products though.