RE: Anyone using "Enterprise implementation"?

["Jeff Dell" <jdell () activeworx com>]

You need to modify your signatures. Take a look at which signatures are
triggering 1000+ times and seriously look at them to see if you need
them or if you can tune them so you don't get so many events. If you are
getting that many events most likely you won't even look at them anyway,
so it isn't much use to alert on them. 

Also, If this is the first time you are installing an IDS, you also
might want to take a closer look at these events to make sure they are
not legit. With all this worm activity, it could very well be a large
amount of worm activity that is causing this.

Good luck!
Jeff

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Emre
Bastuz
Sent: Tuesday, August 26, 2003 5:04 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Anyone using "Enterprise implementation"?


Hi,

I´ve been planning to deploy Acid+Snort+Snortcenter in an "enterprise"
scenario with about 10 sensors with GigE Interfaces and one managment
machine with mysql,apache, etc..

During my initial test Snort wrote about 6 Gig of information from
sensor to managment machine within 8 hours.

Not that I did not expect this but the mysql queries on the Acid console
take forever thus leaving the system completely useless.

I read the FAQ and also did some serious Googling to learn how to
improve
performance but creating indexes and tuning buffers did not really help.

Is anyone out there using Acid+Snort+Snortcenter in an environment like
I´m
planning to do?

How do you guys handle the huge data that is being written to the db?

Just wondering: just one sensor with GigE, sniffing on 3x100mbit is
generating
that much data, how does Acid+Snort scale when using with more sensors?

I could live with doing daily archives of the database but I´m afraid
with
multiple sensorts I would have to switch to archiving every 12 or 6
hours.

Any solution or suggestion? Even links, faq´s and docs I might have
missed are
very welcome :)

Emre

-- 
info () emre de              http://www.emre.de        
UIN: 561260           PGP Key ID: 0xAFAC77FD
I don't see why some people even HAVE cars. -- Calvin


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click
here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users