RE: ACID and MySQL questions

[roman () danyliw com]

> What exactly is the goal of the archive feature?

The inherent problem is that as the DB grows,
ACID performance suffers.  Likewise, it is often the
case that as the incidents with which the alerts
are associated are handled, there is no need to
keep then in the "current" database.  However, 
there is currenlty no mechanism to easily exclude
these alerts from analysis operations.  

Archiving is a way to move the alerts from the 
current analysis scope, but still keep them in a 
form which can be referenced if necessary.  Periodic
archive will speed up the performance of queries
as well as decrease the output of queries whereby
easing the role of the analyst.  In the long term,
archiving will be not necessary for this latter
reason since ACID will incorporate work-flow
functionality.  However, the issue of slow queries
dues to several million rows in the DB for example
is not one that is easily mitigated.

cheers,
Roman
 

> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of
> roman () danyliw com
> Sent: Monday, August 06, 2001 5:15 PM
> To: jlewis () packetnexus com
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] ACID and MySQL questions
>
>
> Hi Jason,
>
> > I am using the archive DB function in ACID.  I don't see a link in ACID
> that
> > will let you view the archive.  I just copied the ACID files into a second
> > directory and pointed the acid_conf to the archive db.  My question
> is....Is
> > that the only way to do it?  Or is there something I missed?  BTW, I am
> > happy with the latest ACID build b13.
>
> The archive database is no different than the "active"
> alert databaase.  Hence, there is no special
> mechanism by which to view it.
>
> > Next question.... I can't find any info on what exactly a snort sensor
> that
> > is not running MySQL needs in the way of MySQL libraries to be able to log
> > to a central MySQL DB server.  Can I get away with installing the MySQL
> > client?  So far I have been doing full blown installs of MySQL on each
> > sensor.  Anyone doing something different?
>
> I have not confirmed this, but I suspect that
> in order to perform remote DB logging only the
> Mysql-devel library would be necessary.
>
> cheers,
> Roman
>
>
> ---------------------------------------------
> This message was sent using Voicenet WebMail.
>       http://www.voicenet.com/webmail/
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users