Snort mailing list archives
RE: AW: (Snort-users) Log analysis tools
From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Fri, 7 Sep 2001 11:18:50 -0400
There seems to be a lot of concern over the performance of ACID with large databases. Our site is no different if I install Snort using the standard rules out-of-the-box. Viruses like Code Red flooded my Internet IDS with tens of thousands of alerts, but in most cases (certainly in ours), the IIS patches have been applied, the firewalls re-configured, or whatever you do to protect yourself, and the attacks just become more background noise from the Internet. I'm not overly confident of our firewall's abilities, and do run a second probe inside our firewall that continues watch for things like Code Red that should have been blocked or are generated from within, but the outside probe does not. I also archive and and then purge the database daily (via automated scripts, not manually), keeping no more than 7 days worth of traffic in it. That's an arbitrary value, but it's long enough to allow me to detect "paranoid" nmap scans which I used as a yardstick. I do continuous statistcal "control chart" type analysis of the data, looking for significant changes in traffic by host and by event. Bottom line... my online database never gets into the millions of records big. In fact, it's usually in the low tens-of-thousands.
-----Original Message----- From: sandro.poppi () wacker com [SMTP:sandro.poppi () wacker com] Sent: Thursday, September 06, 2001 9:52 AM To: subba9 () home com Cc: snort-users () lists sourceforge net Subject: [Snort-users] AW: (Snort-users) Log analysis toolsTry ACID. It's not that simple to install because ofvarious support packagesneeded and it's database related, but you get all alertswhen they happen/nearly realtime) and it can be queried via a browser. ACID can be found on http://www.cert.org/kb/acid/Thank you for replying and this info. Is ACID a memory hog?Well, I'm running snort on 4 interfaces (100 MBit/s FD, average to low utilization) and also SnortSnarf and ACID including a mysql database all on a PIII/800 with 256 MB RAM. I did not have any memory or cpu probs yet (pssst: I'm running also ntop to get infos about the utilization of the interfaces on the same machine, but please don't tell it to others >8).SnortSnarf needs lot of tuning up(that is another discussion). I would assume that such (ACID) setup would be on a different box and not on the Snort agent itself.Of course this is a better solution especially if you are using more than one snort sensor to log into the same database. But as said before, no probs yet.Thank you once again.Anytime, Sandro _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: (Snort-users) Log analysis tools sandro.poppi (Sep 06)
- Re: (Snort-users) Log analysis tools Subba Rao (Sep 06)
- <Possible follow-ups>
- AW: (Snort-users) Log analysis tools sandro.poppi (Sep 06)
- RE: AW: (Snort-users) Log analysis tools Fraser Hugh (Sep 07)