Snort mailing list archives
Re: Demark PureSecure questions
From: "Kristofer T. Karas" <ktk () enterprise bidmc harvard edu>
Date: Thu, 04 Mar 2004 19:33:31 -0500
sam () neuroflux com wrote:
Hello all. I am currently evaluating the Demarc Puresecure product, which appears to be a full featured centralized maangement interface for Snort.
We use PureSecure 1.6 here in a network environment of roughly 14,000 active nodes that spans several medical centers across eastern Massachusetts. It has worked quite well, used more intensely for its event management than for its snort reporting. I was one of the individuals who contributed patches and feedback to the developers back in the 1.0x timeframe. However, with the introduction of 1.6, the licensed open-source product has become effectively closed-sourced, distributed as a scrambled/obfuscated perl program (well, the console anyway; the daemon is still customizable).
We purchased a license of the product because it was patchable (to suit our environment) and because the price was right.
I don't use any of the snort-rules editing features, as I have my own set of scripts that automatically fetch the latest snortrules tarball and install it across our network of snort sensors. Snort is also run in a chrooted jail, which isn't handled by Demarc (at least in the version we have here). But as a display engine, Demarc is just fine. The only gotcha is that, should you have a misbehaving rule that creates, say, 100,000 entries in the snort database, Demarc will slow to an unusable crawl trying to display its main/summary page. It performs some count(*) operations on the union of a couple tables, and this slows things greatly when the database is well populated. But as long as you use thresholding with the new snort-2.1.1++ and keep your database in the 10,000 entry and under range, Demarc is just fine and reasonably responsive.
Kris ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Demark PureSecure questions sam (Mar 04)
- Re: Demark PureSecure questions Ridlon, Michael (Mar 04)
- Re: Demark PureSecure questions Kristofer T. Karas (Mar 04)
- <Possible follow-ups>
- RE: Demark PureSecure questions Nick Duda (Mar 05)