Snort mailing list archives

RE: Re: ACID and multiple databases

From: Ju Kong Fui <kongfui () TP EDU SG>
Date: Fri, 12 Oct 2001 09:39:06 +0800

Snort can send log to a remote SQL server, which means you can configure all
your Snort sensor to log to a single SQL server, and then Run ACID queries
on the SQL server.

A better config would be running Snort, SQL server and ACID on different
physical boxes individually so that the performance bottleneck of one box
will not affect another.


-----Original Message-----
From: roman () danyliw com [mailto:roman () danyliw com]
Sent: Friday, 12 October, 2001 01:45 AM
To: Dominick, David
Cc: snort-users () lists sourceforge net
Subject: [Snort-users] Re: ACID and multiple databases


ACID cannot pull from multiple database servers.  Currently, queries
can only be executed against on database at a time.

Possible hacks include: 

* configuring Snort to log to both the local database and a central
database

 + Pro: happens automatically
 - Con: could slow down Snort's detection functionality
 - Con: data cannot cross administrative domains

* archive alerts from the 6 databases into a common database

 - Con: aggregation requires manual intervention

* custom scripts to perform equivalent of archiving

 + Pro: happens automatically
 + Pro: no degradation in Snort detection performance
 - Con: no such scripts exist

Roman

On Thu, 11 Oct 2001, Dominick, David wrote:

Can my acid console pull from multiple MySQL servers?
If so, can you tell me the conf for it.
(I have 6 boxes out running snort all with their own local database. I

want

to monitor that from a central machine.


Thank you,
David Dominick
Enterprise Security Engineering
404-202-2848




---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ACID and multiple databases Dominick, David (Oct 11)
- Re: ACID and multiple databases Saad Kadhi (Oct 14)
- <Possible follow-ups>
- Re: ACID and multiple databases roman (Oct 11)
- RE: Re: ACID and multiple databases Ju Kong Fui (Oct 11)
- RE: Re: ACID and multiple databases Dominick, David (Oct 12)
- RE: Re: ACID and multiple databases Roman Danyliw (Oct 15)