Snort mailing list archives
Re: mysql, base, and snort and a plea for tips in general
From: "David J. Bianco" <david () vorant com>
Date: Fri, 15 Jun 2007 11:53:17 -0400
John, I feel your pain, as I'm sure many others here do. A good IDS setup can be kind of confusing if you've never dealt with one before. Here are a few comments that may help you out: 1) Take the Snort training from Sourcefire if you can. They really do go into a lot of detail about what snort is and how it works. It also covers basic BASE tasks, rule maintenance, etc. Good stuff, and you'll need this information on an almost daily basis. (Disclaimer, I've taught those classes in the past, so I do have a sporadic business relationship with Sourcefire. But it's still good advice if you have a little cash to spend.) 2) You mentioned that you're using BASE. The most likely reason that your database is slow is that you're not deleting alerts once you've looked at them. You need to do this, otherwise you'll find things just getting slower and slower. You can use BASE's "archive database" feature to save specific alerts that you might need to refer back to later, but in general you shouldn't keep very many alerts in the database. 3) Since you asked about alternatives to BASE... There are several, but I think BASE is still the most popular. I'm part of the Sguil project (www.sguil.net) which also uses Snort to generate IDS alerts, but it encompasses lots of other different data sources, too. It's more of a network forensic tool for intrusion analysts. However, it might help you with your problem of interpreting the alerts. One of the reasons Sguil exists is to quickly answer the analyst's questions about an alert. Many people have found that being able to query Sguil for supporting information really speeds the process up a lot. It can be a bear to get up and running, though, I have to say. But if you're doing intrusion analysis as a significant part of your job, it might be worth checking out. David John Baker wrote:
Hello I'm a new Network Administrator trying to get a grip on the snort setup that I inherited. It sends the output to a LAMP server with base and snortreport as the frontends. I noticed a little discussion about this over the last few days so I thought that I would ask for a little advice on my troubles. It seems to quickly become an unhelpful time sink. The first big problem I have is the simple maintenance of the database. It seems to easily and quickly get out of hand and slow queries waaaaay down while using almost all of the CPU. Are there any specific MYSQL indexes, joins, or maintenance scripts that are good for performance? I noticed somebody say that this setup is just not a good idea. Others have noted that barnyard can help. I understand how barnyard can help snort itself but how can it help the MYQL end? And what is a better setup that mysql/base? And last, I could really use a good guide to interpreting the alerts themselves. It sucks up a lot of my time just figuring out whether something is important or not. Does anybody have any good suggestions for interpretation guides? Thanks.
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- mysql, base, and snort and a plea for tips in general John Baker (Jun 15)
- Re: mysql, base, and snort and a plea for tips in general David J. Bianco (Jun 15)