Snort mailing list archives
Support Issues
From: "Oxenreider, Jeff" <jox () safelite com>
Date: Tue, 7 Aug 2001 08:15:37 -0400
Is it just me or does Roman kick total A$$??!??!? Between Roman and Martin (and the rest of the snort developers for plugins, addons, etc) I can't think of a more supported "free" set of applications out there today. I just get all warm and fuzzy seeing these guys devote as much time and energy to a product that they've developed and released for no cost to us, and the whole pride and ownership of problems just makes a supervisor smile... :) Sorry, just felt the overwhelming urge to say thanks guys. Jeffrey A. Oxenreider Senior Network/Security Engineer Safelite Glass Corp 614.761.4836 -----Original Message----- From: roman () danyliw com [mailto:roman () danyliw com] Sent: Monday, August 06, 2001 7:19 PM To: jlewis () packetnexus com Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] ACID and MySQL questions
What exactly is the goal of the archive feature?
The inherent problem is that as the DB grows, ACID performance suffers. Likewise, it is often the case that as the incidents with which the alerts are associated are handled, there is no need to keep then in the "current" database. However, there is currenlty no mechanism to easily exclude these alerts from analysis operations. Archiving is a way to move the alerts from the current analysis scope, but still keep them in a form which can be referenced if necessary. Periodic archive will speed up the performance of queries as well as decrease the output of queries whereby easing the role of the analyst. In the long term, archiving will be not necessary for this latter reason since ACID will incorporate work-flow functionality. However, the issue of slow queries dues to several million rows in the DB for example is not one that is easily mitigated. cheers, Roman
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of roman () danyliw com Sent: Monday, August 06, 2001 5:15 PM To: jlewis () packetnexus com Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] ACID and MySQL questions Hi Jason,I am using the archive DB function in ACID. I don't see a link in ACIDthatwill let you view the archive. I just copied the ACID files into a
second
directory and pointed the acid_conf to the archive db. My questionis....Isthat the only way to do it? Or is there something I missed? BTW, I am happy with the latest ACID build b13.The archive database is no different than the "active" alert databaase. Hence, there is no special mechanism by which to view it.Next question.... I can't find any info on what exactly a snort sensorthatis not running MySQL needs in the way of MySQL libraries to be able to
log
to a central MySQL DB server. Can I get away with installing the MySQL client? So far I have been doing full blown installs of MySQL on each sensor. Anyone doing something different?I have not confirmed this, but I suspect that in order to perform remote DB logging only the Mysql-devel library would be necessary. cheers, Roman --------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Support Issues Oxenreider, Jeff (Aug 07)