Snort mailing list archives
RE: Central Report for IDS-System
From: "Hutchinson, Andrew" <Andrew.Hutchinson () Vanderbilt edu>
Date: Thu, 4 Oct 2001 15:08:26 -0500
Well, I'll take a crack at all of these. :-) I am currently using MySQL (Ver 11.15 Distrib 3.23.40) as the central database. The DB currently contains ~ 2 million events, and is about 1.1 Gb in size. It runs fine, and I have had no stability problems. The DB platform is RedHat 7.1 on a Compaq PII-350 w/ 128MB RAM and a 6Gb IDE HD. The machine usually runs at about 0.1 load points. I've also used snort reporting to Oracle and Microsoft SQL db's (not using the built in snort methods, but rather with custom PerlDBI routines), and MySQL is more stable, much faster, and easier to use. When it comes to scalability, Oracle is the clear choice. For reporting from the database, you could use ACID, SnortReport, or one of many other solutions. In my case, I really liked Snort Report but it was glacially slow. It was written using PHP, which I don't currently know or use, so I used it as a model and re-implemented it using Perl/DBI/CGI.pm. That took about a week or so. Since then, I've been adding some functions and tinkering with it, but you really can't count that time. Yes, it's possible to encrypt the sensor to DB traffic. Look at OpenSSL and Stunnel. There was an excellent article that explained how stunnel can be used for almost any service in the August 2001 issue of SysAdmin magazine, if you can get your hands on it. As far as OS goes, I'm not going to get into that battle. I use RedHat because I use RedHat - it's widely available for download, and I happen to have it on CD. As long as it doesn't crash, isn't full of holes, and runs my code, I don't really pay much attention to whether one platform is 10% faster or slower than another. We also use Solaris here, and it works fine for the things we use it for, but that does not currently include IDS systems. I'm sure that this solution would probably work just fine on Solaris, Debian, NameYourBSD, Slackware, etc. Hope this helps, Andrew Hutchinson Informatics/NCS/Network Security Vanderbilt University Medical Center 615.936.2856 - voice 615.936.0643 - fax andrew.hutchinson () vanderbilt edu
-----Original Message----- From: snort-users-admin () lists sourceforge net@VANDERBILT On Behalf Of manfred.steinbacher () avl com Sent: Thursday, October 04, 2001 3:48 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Central Report for IDS-System Hello Have anyone an experience how long I need to make following solution: We want to install there IDS-Snort Senors and one central Management station. The question what I have now: What does I need to make a central solution (MySql and ...)? How stable is this solution? How much time must I spend to get this system up and running ? Is it possible to encrypte the data-transfer from the sensor to the management station. Which OS should we use (Linux (RedHat or Debian), SUN ..) Many Thanks for any information manfred _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Central Report for IDS-System manfred . steinbacher (Oct 04)
- <Possible follow-ups>
- RE: Central Report for IDS-System Hutchinson, Andrew (Oct 04)