Snort mailing list archives
Re: HELP ON SNORT
From: beenph <beenph () gmail com>
Date: Sun, 29 Jan 2012 23:20:44 -0500
On Sun, Jan 29, 2012 at 7:38 PM, Dustin Webber <dustin.webber () gmail com> wrote:
All, Cliffnotes: Snorby is not an archive interface and can scale very well when used properly. Snorby is using NEW technology and languages. (sorry?)
Two quick questions: 1) What is an archive interface Dustin? 2) And what is proper and improper uses of snortby?
hhmm, impractical use for large amounts of alerts? Well, Snorby is not an archive interface and it's intend for professionals that tune and know what they are looking for. I have heard these concerns as well and it always ended up being someone who didn't tune their sensor and had 150k events every 30 minutes. Listen, if someone can figure out how to scale this DB scheme to that amount of raw data and still build time based metrics.. You should be working for the Google R&D team.. Because you obviously figured out and to do quantum storage / processing.
The real issue actualy lies elsewhere. The default database schema that people have been relying on for a few years to store and process alert is not in a state where you can even think about performance and this is in process of getting adressed. But even using an improved database schema is not all. UI technology/behavior and DBMS configuration will play a huge role on how things will be able to scale in the end. Deployment of such infrastructure is offent done/suggested by some turorials to coexist on the same system (IDS/Event logger/Database/Web server/UI), which is generaly set to fail in the first place. Technialy you should have dedicated sensors, at least one dedicated database and at least one dedicated web servers. People who are serious to learn will encounter issue at each level and will generaly be able adapt and come up with someting viable for their needs in the end. Anyhow in the next months hopefully the new schema will allow people to scale better. -elz ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: HELP ON SNORT, (continued)
- Re: HELP ON SNORT Dustin Webber (Jan 29)
- Re: HELP ON SNORT Joel Esler (Jan 29)
- Re: HELP ON SNORT Paul Halliday (Jan 30)
- Re: HELP ON SNORT Joel Esler (Jan 30)
- Re: HELP ON SNORT Paul Halliday (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Jefferson, Shawn (Jan 30)
- Re: HELP ON SNORT Lay, James (Jan 30)
- Re: HELP ON SNORT Jeremy Hoel (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 29)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Martin Holste (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Martin Holste (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT Carney, Megan (Jan 30)
- Re: HELP ON SNORT Rich Graves (Jan 31)
- Re: HELP ON SNORT Jeremy Hoel (Jan 29)