Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Re: (Snort-users) Log analysis tools

From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Thu, 6 Sep 2001 13:37:41 -0400
ACID uses a database rather than flat files as its repository, and the
database will benefit from as much memory as you can give it. Installation
is not difficult, but tuning any database is an art. ACID is, however, a
great realtime analysis tool, and well worth the effort. 

I've installed ACID and a Postgres database on a moderate-sized machine
dedicated to the analysis/reporting function, and have the Snort probes
running on smaller boxes with dual NICs, the primary NIC being the sniffer
port, and the second being a private LAN to the analysis machine. ACID
performance is adequate, but not snappy.

I use ACID for followup analysis of events, and performance isn't a major
issue. The probes I've installed are autonomous, each having a modem and
phone line and some additional intelligence to do exception paging when
Snort detects a problem. So ACID's real strength for me is its analysis
capabilities once I've been paged.


-----Original Message-----
From: Subba Rao [SMTP:subba9 () home com]
Sent: Thursday, September 06, 2001 9:44 AM
To:   sandro.poppi () wacker com
Cc:   snort-users () lists sourceforge net
Subject:      [Snort-users] Re: (Snort-users) Log analysis tools

On  0, sandro.poppi () wacker com wrote:


Try ACID. It's not that simple to install because of various support

packages

needed and it's database related, but you get all alerts when they

happen

/nearly realtime) and it can be queried via a browser.

ACID can be found on http://www.cert.org/kb/acid/



Thank you for replying and this info. Is ACID a memory hog? SnortSnarf
needs
lot of tuning up(that is another discussion). I would assume that such
(ACID)
setup would be on a different box and not on the Snort agent itself.

Thank you once again.
-- 

Subba Rao
subba9 () home com
http://members.home.net/subba9/

GPG public key ID CCB7344E
Key fingerprint = A8DD 4CBA 1E9B D962 A55B  2B55 BAFE 92C5 CCB7 344E

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: