2014-06-25 11:58 AM
how can I use snort rules in security analytics??
2014-06-26 05:31 AM
I guess the question is why would you want to? SA is a market leading security platform, why would you want to degrade performance with an open source IDS that can be thrown onto any old linux box (or VM) - I have heard good things about "smoothsec" and "security onion" distributions that are easy to deploy, have snort/suricata configured and with snorby as a web interface - I suggest keeping the appliances separate and going down this route would be far better.
/Craig
2014-06-26 04:36 PM
If you have the 9.8 NWAdmin software, there is some guidance in the Help->Help Documentation section though it will help to be a little "flexible" while you're reading it. I assume this documentation is probably also available within the SA interface, though I don't know specifically where it is.
One critical thing to be aware of: the Snort rule support in NW/SA is a (very) limited subset of the Snort rule functionality, so if you're hoping to just copy a bunch of snort rules in from some community source and get a fully-featured IDS out of it, that's not going to happen. But if you have some specific cases that can be built within NW/SA's limited subset of rule support, you may be able to make something work.
2014-06-26 04:36 PM
but if the decoder in capable of handling it, why not??