Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Demark PureSecure questions

From: "Kristofer T. Karas" <ktk () enterprise bidmc harvard edu>
Date: Thu, 04 Mar 2004 19:33:31 -0500
sam () neuroflux com wrote:


Hello all.  I am currently evaluating the Demarc Puresecure product, which
appears to be a full featured centralized maangement interface for Snort.
We use PureSecure 1.6 here in a network environment of roughly 14,000 active nodes that spans several medical centers across eastern Massachusetts. It has worked quite well, used more intensely for its event management than for its snort reporting. I was one of the individuals who contributed patches and feedback to the developers back in the 1.0x timeframe. However, with the introduction of 1.6, the licensed open-source product has become effectively closed-sourced, distributed as a scrambled/obfuscated perl program (well, the console anyway; the daemon is still customizable).
We purchased a license of the product because it was patchable (to suit our environment) and because the price was right.
I don't use any of the snort-rules editing features, as I have my own set of scripts that automatically fetch the latest snortrules tarball and install it across our network of snort sensors. Snort is also run in a chrooted jail, which isn't handled by Demarc (at least in the version we have here). But as a display engine, Demarc is just fine. The only gotcha is that, should you have a misbehaving rule that creates, say, 100,000 entries in the snort database, Demarc will slow to an unusable crawl trying to display its main/summary page. It performs some count(*) operations on the union of a couple tables, and this slows things greatly when the database is well populated. But as long as you use thresholding with the new snort-2.1.1++ and keep your database in the 10,000 entry and under range, Demarc is just fine and reasonably responsive. 

Kris



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: