Re: Data archiving

[Erick Mechler <emechler () techometer net>]

:: I'd like to know as well, please everyone pitch in on this.  Obviously, the
:: impulse answer is going to be 'it depends on your organization', but can we
:: all please be more forthcoming than that?

Uh, 'it depends on your organization'.  What makes sense for one team isn't 
right for another.

This is what I do:  I have a snort_log DB that contains 36 hours of alerts.  
Every hour, I rotate out any alerts that are older than 36 hours into a
snort_archive DB.  The snort_archive DB holds alerts that are less than 2
weeks old.  Also, every hour I permanently delete alerts older than 2 weeks
from the archive DB.  I use ACID to do pseudo-real-time viewing of alerts,
and then I also run SnortSnarf against both DBs on an hourly basis.  
SnortSnarf gives a better overall picture of what's going on, IMHO, and if
there's something I want to drill-down into that's what ACID is for.

Is keeping alerts for a year a good idea?  Perhaps, but not something that
my team deems necessary.  To put this into perspective, that would be on
the order of 32 million alerts over a 365 day period (based on my highly
accurate APH measurement[0]).  Needle in a haystack is what comes to mind.

Is it a good idea for you to keep alerts for a year?  That's something only
you and your team can decide.

Cheers - Erick

-----
 [0] alerts per hour


-------------------------------------------------------
This SF.net email is sponsored by: Does your code think in ink? 
You could win a Tablet PC. Get a free Tablet PC hat just for playing. 
What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users