Re: [Snort-users] Re: About to setup snort
This is a discussion on Re: [Snort-users] Re: About to setup snort within the Snort forums, part of the System Security and Security Related category; I suppose this warrants a response 'on list' even though I know you and Ric= h have communicated privately about ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-22-2004
|
|||
|
|||
Re: [Snort-users] Re: About to setup snort
I suppose this warrants a response 'on list' even though I know you and Ric=
h have communicated privately about your concerns with the name. First off, please understand that I have a dry sense of humor and a tendenc= y to be 'slightly' sarcastic. In truth, the ink is completely warn off my <= /sarcasm> key. With that in mind, here is the history of the name (WARNING:= long version with useless information follows. If uninterested skip to the= bottom and short version). Sometime in 1999/2000 I started writing my own little interface to snort fo= r my own home/personal use. I named it spreg (Snort Personal Realtime Event= GUI). Soon after that I took a position to start a managed security monito= ring service within an established company focused on the gov't who wanted = to get into commercial business. I took spreg with me, improved up on it, a= nd pretty soon Rich and I had what we felt was a nifty interface that follo= wed our theories on Networks Security Monitoring (NSM) and worked extremely= well in our organization. During this time, I became a regular in #snort. = Often times we'd talk theory and I'd leak screen shots of spreg to give oth= ers an idea of what we were doing in our origanization. I would of liked to= share the code at that time, but technically it was now owned by the compa= ny (I was developing it on its time) and it would of been a support nightma= re (originally it was more proof of concept, and a look/feel template for o= ur REAL developers to use as they wrote a more robust system for long term = use). Then the market tanked. Soon after, said company decided that maybe c= ommercial work wasn't so great and they needed to focus on their 'core comp= etancy' (ie "you are all fired"). Lucky for me, one of our monitored 'custo= mers' was our parent company. They liked what we provided them and they off= ered to transfer me to corporate to continue monitoring its network. I cons= idered the guys in #snort friends and as I related the news, it again broug= ht up the question of the spreg code. Could I know open source it? The quic= k answer was no. Ex-company bundled it with the long term project code, tri= ed unsuccessfully to sell it, and shelved it. In the end, we (corporate) co= uld continue to use it, but it wasn't 'ours'. Much discussion on #snort occ= urred and the question of re-writing it on 'my' time arose. My boss approve= d and off I went. The channel #snort-gui was created a few months later I w= as ready for some of the guys to test it out. It proved to be very alpha, b= ut worthwhile project without a name. In order to understand the 'lamerz' p= art, you need to understand that a typicaly day in #snort when something li= ke (my nick is 'qru' and by #snort-regular, I mean the contigent of snort u= sers who spend a lot of time in #snort, contribute to the project, but aren= 't considered developers): ****Joins: USER1 has joined #snort <USER1> I have a question, are there any developers here? <#snort-regular> They are here, just idle. Ask your question, and maybe one= of=20 us can help <USER1> Question <#snort-regular> Answer -[repeat 10x]- ****Joins: USER12 has joined #snort <USER12> I have a question, are there any developers here? <qru> No, just us lamerz. </sarcasm> -[fast forward to next day]- <qru> G'morning lamerz. <#snort-regulars> heh. -[repeat as needed]- The gist of the "what do we name it" conversation went something like: <qru> What do we call this thing? <geek2> `echo http://www.thesaurus.com->pig` <qru> ick <scottder> How about <some word in some language that meant pig> <qru> I've been calling it 'swine' as 'wine' makes me thing GUI and s =3D= =3D snort <qru> But I really don't like it. <geek2||tinsley> How about SGUI - Snort GUI <qru> Hrm. Kinda like that but it doesn't have that 'snort' name to it=20 like barnyard, oinkmaster, etc. -[much discussion]- <qru> How about sguil. Has the GUI in the middle and we can pronounce it like 'sgweel' (the sound a pig makes). <scottder> "Make your pig sgweel". -[and there was much rejoicing]- <qru> Okay, so what does the 'L' stand for? <tinsley> lamerz ;) <qru> Bwhahahahahaahahahhaah! Snort GUI for Lamerz, That's it! <geek2> ditto <scottder> ditto So that is how we came up with the name. I registered the project on source= forge and we continued development. Some time later, Rich in his infinite w= isdom said, "You know, we might want to reconsider the 'lamerz' part. It's = not very marketable." Of course, I originally scoffed at the idea. This was= a project for analyst, by analyst. If someone didn't want to use it becaus= e of the name, then they obviously aren't worthy </wayne&garth> of using it= .. Time passes and Sguil starts to mature. Rich brings up the name again, th= is time admitting he's shown it to a couple of high profile security types,= who liked it a lot but had bad reactions to the name. He was starting to w= rite his book, wanted sguil to be a big part of it, but the 'lamerz' had hi= m concerned. He also had an oppurtunity to publish an article in SysAdmin M= agazine and really wanted us to drop the 'lamerz' as he didn't think it wou= ld be received well. In the end, we agreed that Rich was right (damn you Ri= ch!!), and after much discussing of what we could change the 'L' to, it was= decided that we would silently drop the mention of the 'lamerz' and just r= efer to it as 'sguil'. What the 'l' meant would just be insider informatio= n from now on. Obviously I didn't do a very good job of cleanup (the screen= shots in the homepage were old and still had the 'lamerz' in the titlebar. = Doesn't really matter though, thanks to Google, lamerz will always be there= ).=20 And that's the rest of the story. Please don't be decieved by the name. Sgu= il is activately developed by a group of professional individuals who use i= t in real environments. We are not out there to sell you some slick interfa= ce that accomplishes nothing. We believe in the process of NSM and are tryi= ng our best to spread the word. Rich has a kick ass book coming out in July= (http://www.amazon.com/exec/obidos/AS...471674-6122508). I= f you buy into the theories he discusses there, then you'll understand bett= er what we have started with sguil. Almost forgot the short Version: Don't judge a book by its cover. ;) Bammkkkk On Fri, May 21, 2004 at 11:48:48AM -0400, Shaun T. Erickson wrote: > Richard Bejtlich wrote: >=20 > >If you get frustrated with ACID, consider > >Sguil (sguil.sourceforge.net). >=20 > It looks interesting, but I can gaurantee you that I won't be running=20 > anything that considers it's users to be "lamerz". >=20 > -ste ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
