Re: Alternative to BASE

[Bamm Visscher <bamm.visscher () gmail com>]

Ouch. Okay, I'll bite.

Most of the scaling problems I have seen have more to do with
insufficient hardware (trying to do full packet capture of a 100Mbps
link on a 80GB IDE disk or put a couple million rows per day of SANCP
data into a vastly undersized mysql DB), poor architecture decisions
(where you put sensors is important), or a misunderstanding of what
analysis using Sguil means.

If anyone is having problems with scaling, please let me know.  I have
over 100 sensors deployed on various links from 10Mbps to 1Gbps. All
reporting to a (single) central Sguil server and MySQL DB. Yeah, there
were some hurdles to overcome and hopefully I can get those lessons
learned into the CVS soon.

Bamm


On Wed, Apr 28, 2010 at 2:45 PM, Jeff Kell <jeff-kell () utc edu> wrote:
> On 4/28/2010 12:27 PM, Stephen Mullins wrote:
> > As an analyst I can tell you that Sguil is the best IDS analysis front
> > end that I have ever seen.  It blows anything web based out of the
> > water.
>
> But it only scales up to a point (as many/most "IDS analysis" tools,
> each has their threshold of pain).
>
> Jeff
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users