RE: Question on database for Snort

["Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>]

The majority of setups I've seen with mySQL tend to bog down greatly
when you approach 100k events in the db.  Postgres seems to handle much
more, but still has its problems as the numbers increase.  Oracle has
been the most stable, for those I've had experience with.  I've seen
several Oracle setups storing snort information running much more
complex front-ends than ACID... that easily store and retrieve tens of
millions of records without much more delay than it would a few
thousand.

Of course, the overhead in running Oracle is greater, and the knowledge
required to install, run, maintain Oracle DB is way way beyond that of
mySQL or postgres.  If you have a good Oracle DBA, my opinion is to go
for Oracle.  If not, try to find some archiving solution for mySQL,
limiting it to less than 100k records in the main db, all while having
to rebuild the tables to get your space and speed back.

It's all about trading one headache for the other.... 

-----Original Message-----
From: FWAdmin [mailto:FWAdmin () nbpower com] 
Sent: Monday, March 31, 2003 8:42 AM
To: Snort-Users
Subject: [Snort-users] Question on database for Snort


Hello all. I am going to be doing a rather large Snort deployment for a
customer and I would like some opinions as to what back end database to
use
for the Snort log files and data. I am using Red Hat 7.3 with MySQL and
ACID
right now, but I would like to hear what others use in their customer
environments. We will probably stick with HP / Compaq hardware, as that
is
the environment standard, but that is also open to suggestions or
comments.

Thanks.

                -Jason

Jason Thompson
Security Analyst
Networks and Communications
xwave


------------------------- 
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and
may
contain confidential and/or privileged material. If you are not the
intended
recipient of this e-mail, any use, review, retransmission,
distribution,
dissemination, copying, printing, or other use of, or taking of any
action
in reliance upon this e-mail, is strictly prohibited. If you have
received
this e-mail in error, please contact the sender and delete the original
and
any copy of this e-mail and any printout thereof, immediately. Your
co-operation is appreciated. 

Le present courriel (y compris toute piece jointe) s'adresse uniquement
a
son destinataire, qu'il soit une personne ou un organisme, et pourrait
comporter des renseignements privilegies ou confidentiels. Si vous
n'etes
pas le destinataire du courriel, il est interdit d'utiliser, de revoir,
de
retransmettre, de distribuer, de disseminer, de copier ou d'imprimer ce
courriel, d'agir en vous y fiant ou de vous en servir de toute autre
facon.
Si vous avez recu le present courriel par erreur, priere de communiquer
avec
l'expediteur et d'eliminer l'original du courriel, ainsi que toute copie
electronique ou imprimee de celui-ci, immediatement. Nous sommes
reconnaissants de votre collaboration. 



-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb:
Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users