[Snort-users] Re: ACID and multiple databases

Ju Kong Fui kongfui at ...3775...
Thu Oct 11 18:42:06 EDT 2001

Snort can send log to a remote SQL server, which means you can configure all
your Snort sensor to log to a single SQL server, and then Run ACID queries
on the SQL server.

A better config would be running Snort, SQL server and ACID on different
physical boxes individually so that the performance bottleneck of one box
will not affect another.

-----Original Message-----
From: roman at ...438... [mailto:roman at ...438...]
Sent: Friday, 12 October, 2001 01:45 AM
To: Dominick, David
Cc: snort-users at lists.sourceforge.net
Subject: [Snort-users] Re: ACID and multiple databases

ACID cannot pull from multiple database servers.  Currently, queries
can only be executed against on database at a time.

Possible hacks include: 

* configuring Snort to log to both the local database and a central

 + Pro: happens automatically
 - Con: could slow down Snort's detection functionality
 - Con: data cannot cross administrative domains

* archive alerts from the 6 databases into a common database

 - Con: aggregation requires manual intervention

* custom scripts to perform equivalent of archiving

 + Pro: happens automatically
 + Pro: no degradation in Snort detection performance
 - Con: no such scripts exist


On Thu, 11 Oct 2001, Dominick, David wrote:

> Can my acid console pull from multiple MySQL servers?
> If so, can you tell me the conf for it.
> (I have 6 boxes out running snort all with their own local database. I
> to monitor that from a central machine.
> Thank you,
> David Dominick
> Enterprise Security Engineering
> 404-202-2848

This message was sent using Voicenet WebMail.

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list