RE: Anyone using "Enterprise implementation"?

["Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>]

If you go back in the past on this I've had very extended rants to this exact point.  The links are below.  I've had 
enough experience to say this with some authority: MySQL should not be used with snort in an enterprise environment; 
and specifically should not be used when there is a legal requirement for the analysis and integrity of the data.  If 
anyone wants more details than in the below articles, please email me and I'll do my best to help.

 [ http://archives.neohapsis.com/archives/snort/2003-01/0076.html ]
 [ http://archives.neohapsis.com/archives/snort/2003-03/1076.html ]

Also, incase anyone wants to ask... yes we've tried the newer version of mysql (4.0) for some development apps (and I 
myself use 4.1 at home).  The performance in 4 is better than we experienced in the previous versions, but was still 
far behind Oracle in performance for the types of stuff we do.  I have a working version of a new table structure that 
performs better running at my home.  It takes a little more space but gets rid of the majority of joins and fixes the 
pk problem that causes slow joins in all DBs we've tested.  If I could get a C/OCI person to help out, I'd love to give 
this back to the community.

-----Original Message-----
From: Michael Steele [mailto:michaels () winsnort com] 
Sent: Tuesday, August 26, 2003 6:41 PM
To: Kreimendahl, Chad J
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Anyone using "Enterprise implementation"?


Chad,

Blanket statements like this should be avoided. If you don't have time to
make a clear and defined statement then it might be wise to bypass any
remark at all and leave it to someone that has the time.

I don't know postgres or I'd be happy to make a statement.

Is it possible to answer his question in some detail?

-Michael Steele
-- 
 System Engineer / Security Support Technician     
 mailto:michaels () winsnort com    
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org
 
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Kreimendahl,
Chad J
Sent: Tuesday, August 26, 2003 8:35 AM
To: Emre Bastuz; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Anyone using "Enterprise implementation"?


I wouldn't recommend using mysql in an 'Enterprise' environment for anything
that matters to you.   If your company already pays for oracle, you'll be
better off using that.   If not, postgres is a step in the right direction.

-----Original Message-----
From: Emre Bastuz [mailto:info () emre de] 
Sent: Tuesday, August 26, 2003 4:04 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Anyone using "Enterprise implementation"?


Hi,

I´ve been planning to deploy Acid+Snort+Snortcenter in an "enterprise"
scenario with about 10 sensors with GigE Interfaces and one managment
machine with mysql,apache, etc..

During my initial test Snort wrote about 6 Gig of information from
sensor to managment machine within 8 hours.

Not that I did not expect this but the mysql queries on the Acid console
take forever thus leaving the system completely useless.

I read the FAQ and also did some serious Googling to learn how to improve
performance but creating indexes and tuning buffers did not really help.

Is anyone out there using Acid+Snort+Snortcenter in an environment like I´m
planning to do?

How do you guys handle the huge data that is being written to the db?

Just wondering: just one sensor with GigE, sniffing on 3x100mbit is
generating
that much data, how does Acid+Snort scale when using with more sensors?

I could live with doing daily archives of the database but I´m afraid with
multiple sensorts I would have to switch to archiving every 12 or 6 hours.

Any solution or suggestion? Even links, faq´s and docs I might have missed
are
very welcome :)

Emre

-- 
info () emre de              http://www.emre.de        
UIN: 561260           PGP Key ID: 0xAFAC77FD
I don't see why some people even HAVE cars. -- Calvin


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users