This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."
Download it now to read this article plus other related content.
BASE, the Basic Analysis and Security Engine, is the standard-bearer of Web-based consoles. Web-based consoles are known for sluggishness, and BASE does not scale well to the enterprise level. BASE can slow down Snort on Knoppix-NSM as it has to log for BASE and "unified" for Barnyard. BASE is great for demonstration or educational purposes, but be aware of the cost to performance. You'll also find less pertinent information available in the console than you would with Sguil.
Still, Web-based consoles are convenient, and it never hurts to put a different perspective on events.
Ntop, or network top, which is also browser-based, illustrates network usage and status from a variety of perspectives. A standalone application that works separately from all Snort-related applications, ntop acts as the "statistician" for Knoppix-NSM. It allows you to sort/show network traffic according to many protocols/criteria, display and store traffic statistics, identify users and host OS, sort according to source/destination, and report IP protocol usage. It's worthy of a standalone installation, simply for the return on investment (much for nothing) and ease of use and installation.
Ntop's wealth of network traffic data makes it invaluable as a Snort companion or standalone tool.
This was first published in October 2007