RE: Central Report for IDS-System

["Hutchinson, Andrew" <Andrew.Hutchinson () Vanderbilt edu>]

Well, I'll take a crack at all of these.  :-)

I am currently using MySQL (Ver 11.15 Distrib 3.23.40) as the central
database.  The DB currently contains ~ 2 million events, and is about
1.1 Gb in size.  It runs fine, and I have had no stability problems.
The DB platform is RedHat 7.1 on a Compaq PII-350 w/ 128MB RAM and a 6Gb
IDE HD.  The machine usually runs at about 0.1 load points.  I've also
used snort reporting to Oracle and Microsoft SQL db's (not using the
built in snort methods, but rather with custom PerlDBI routines), and
MySQL is more stable, much faster, and easier to use.  When it comes to
scalability, Oracle is the clear choice.  

For reporting from the database, you could use ACID, SnortReport, or one
of many other solutions.  In my case, I really liked Snort Report but it
was glacially slow.  It was written using PHP, which I don't currently
know or use, so I used it as a model and re-implemented it using
Perl/DBI/CGI.pm.  That took about a week or so.  Since then, I've been
adding some functions and tinkering with it, but you really can't count
that time.

Yes, it's possible to encrypt the sensor to DB traffic.  Look at OpenSSL
and Stunnel.  There was an excellent article that explained how stunnel
can be used for almost any service in the August 2001 issue of SysAdmin
magazine, if you can get your hands on it.

As far as OS goes, I'm not going to get into that battle.  I use RedHat
because I use RedHat - it's widely available for download, and I happen
to have it on CD.  As long as it doesn't crash, isn't full of holes, and
runs my code, I don't really pay much attention to whether one platform
is 10% faster or slower than another.  We also use Solaris here, and it
works fine for the things we use it for, but that does not currently
include IDS systems.  I'm sure that this solution would probably work
just fine on Solaris, Debian, NameYourBSD, Slackware, etc.  

Hope this helps,

Andrew Hutchinson
Informatics/NCS/Network Security
Vanderbilt University Medical Center
615.936.2856 - voice
615.936.0643 - fax
andrew.hutchinson () vanderbilt edu


>  -----Original Message-----
> From:         snort-users-admin () lists sourceforge net@VANDERBILT   On
> Behalf Of manfred.steinbacher () avl com
> Sent: Thursday, October 04, 2001 3:48 PM
> To:   snort-users () lists sourceforge net
> Subject:      [Snort-users] Central Report for IDS-System
>
> Hello
>
> Have anyone an experience how long I need to make following solution:
>
> We want to install there IDS-Snort Senors and one central Management
> station.
> The question what I have now:
> What does I need to make a central solution (MySql and ...)?
> How stable is this solution?
> How much time must I spend to get this system up and running ?
> Is it possible to encrypte the data-transfer from the sensor to the
> management station.
> Which OS should we use (Linux (RedHat or Debian), SUN ..)
>
> Many Thanks for any information
> manfred
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users