Snort mailing list archives
Re: Anyone using "Enterprise implementation"?
From: Emre Bastuz <info () emre de>
Date: Wed, 27 Aug 2003 17:00:20 +0200
Hi, first of all thanks for the many responses! For those who are interested, here a summary of what has been suggested: - AFAIS the first thing for me to do to improve the database performance would be to modify the snort config and disable all unnecessary rules/checks. Of course it´s not always easy to know what is needed and what is not - "our webserver might be under attack, but wait - did I activate the appropriate rule in my sensor? *argh*". - Secondly an archiving practice to move data from the current DB to another one should be neccessary. - Furthermore I have to reconsider what Snort is being used for in general: not for analysis that is X days old but for recognition of supposed attacks within a short timeframe. - Filtering out ICMP/SYN noise should also reduce the size of the DB. I do not see any reason for switching to another database (Postgres or even Oracle). Those might be nice when used in a commercial environment due to the transactions, rollback, etc. functions but this makes no sense for Snort (as Mysql´s just an alternative to flat file). Mysql in this case is the most performant DB and thus the best choice (IMHO). Bamm suggested using http://sguil.sf.net/ and Herve mentioned an Acid like frontend that will come out in a while. I´ll definitly take a look at those. Using two machines in a sensor/manager way is part of an evaluation to decide if commercial products are worth the money or if Snort is an alternative. My major concern was hardware performance when sniffing on an GigE network, that´s why I added all kinds of signatures to the snort process in the first place. Once I got the appropriate ruleset and frontend figured out, I´d like to do concentrate on hardware prerequisites for a given network load. I´m planning to do some MRTG/RRD style presentation. Anyone interested in such a thing? If there is anything you would like to see integrated in the performance measuring please let me know. Thanks again, Emre -- info () emre de http://www.emre.de UIN: 561260 PGP Key ID: 0xAFAC77FD I don't see why some people even HAVE cars. -- Calvin ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Anyone using "Enterprise implementation"? Emre Bastuz (Aug 26)
- RE: Anyone using "Enterprise implementation"? Jeff Dell (Aug 26)
- RE: Anyone using "Enterprise implementation"? Tom Van Overbeke (Aug 26)
- Re: Anyone using "Enterprise implementation"? Jason Haar (Aug 26)
- Re: Anyone using "Enterprise implementation"? Herve Debar (Aug 27)
- Re: Anyone using "Enterprise implementation"? Emre Bastuz (Aug 27)
- Re: Anyone using "Enterprise implementation"? Nagesh Chavan (Aug 28)
- <Possible follow-ups>
- RE: Anyone using "Enterprise implementation"? Hutchinson, Andrew (Aug 26)
- RE: Anyone using "Enterprise implementation"? Kreimendahl, Chad J (Aug 26)
- RE: Anyone using "Enterprise implementation"? Michael Steele (Aug 26)
- Re: Anyone using "Enterprise implementation"? cc (Aug 26)
- Re: Anyone using "Enterprise implementation"? Rich Adamson (Aug 27)
- RE: Anyone using "Enterprise implementation"? Tom Van Overbeke (Aug 27)
- Re: Anyone using "Enterprise implementation"? Jason Haar (Aug 31)