What and Why of Snorby - Snorby/snorby GitHub Wiki
What is Snorby?
Snorby is a front end web application (scripted in Ruby on Rails) for any application that logs events in the unified2 binary output format.
It is important to understand that Snorby is a front end for other applications, and that the administration of your Intrusion Detection System (IDS) (ie.: Snort, Saga, Suricata), will not always be done through the Snorby interface. It is important that you become familiar with the underlying IDS for proper tuning and updating.
Why Snorby?
It's a beautiful front-end that is, most importantly, functional! We're not trash talking here, but there's only two front-ends that have proven themselves to keep up with network forensics and be a leader in incident response (for our hard-core users that like a scripting language called TCL, please see the SGUIL project http://sguil.sourceforge.net/ written by Bamm Visscher).
Why Full Packet Capture?
Snorby now supports OpenFPC, the capability to have a full transcript of the network traffic. This enables an analyst to be able to see the entire conversation surrounding an attack. With typical IDS solutions, you see only around 300 bytes of the traffic. That's hard to determine if compromise actually occurred, now isn't it? There's a good book written by Richard Bejlitch called "The Tao of Network Security Monitoring" that describes why Full Packet Capture is advantageous.