Thursday, December 14, 2006

Sguil vs. BASE

This afternoon, someone asked me how I would categorize the differences between Sguil and BASE. I started with the standard response: "BASE is an alert browser, but Sguil encourages a more structured approach."

By the end of my reply, though, I found myself thinking about how to express this in a different way, something that emphasized the functionality of the two systems.

Here's what I came up with, excerpted from my own private email reply:

You can think of the process of intrusion analysis as formulating and
then trying to answer a series of questions. For example, one series
might be:

  1. Was this an actual attack?
  2. If so, was the attack successful?
  3. What other systems may also have been attacked?
  4. What activities did the intruder try to carry out?
  5. What other resources were they able to gain access to?
  6. How should we contain, eradicate and recover from the intrusion?

In this sequence, BASE does a great job of answering question #1. It may also have certain information about #3, but it probably wouldn't supply enough information to give good answers to questions #2, #4 or #5. By correlating the additional information sources, Sguil is often able to come up with very good answers to each of the first five questions. Of course, the more information you have at your disposal, the easier it will be to answer the most important question, #6.

Of course, I'd be very interested to hear from any BASE users who would like to either confirm or dispute my analysis. If that's you, leave a comment!


Secure Ideas said...

I guess I can respond so that some one does.{grin}

I thiink BASE can answer #1 and #3 almost all the time. I think #4 can be answered by BASE a lot of the time. The answers to #2 and #5 depend on the set up of your Snort install and what types of rules it is alerting on. But I will agree tthat SGUIL provides much more information. Of course it comes with more overhead. My personal recommendations have always been to use BASE where the information needed is the executive, tuning, management (not boss management but control management). And use SGUIL is you need to really dig down into the alerts.

Of course I might be a little biased. : )

David Bianco said...

Well, we both have our biases, don't we? 8-)

I definitely agree with your closing, though. There are many times when I recommend that people use BASE, so I'm definitely not trying to put it down. Both BASE and Sguil are great projects.

As I told the person I originally wrote that message to, the choice of BASE vs. Sguil really depends on what your philosphy of IDS is. If you need to generate reports or you're not going to do a lot of detailed investigation, BASE is probably best. If you need detailed forensic-style information for incident investigation and response, I still think Sguil is a better choice.