[Snort-users] Re: (Snort-users) Log analysis tools

Fraser Hugh hugh_fraser at ...2804...
Thu Sep 6 10:39:02 EDT 2001


ACID uses a database rather than flat files as its repository, and the
database will benefit from as much memory as you can give it. Installation
is not difficult, but tuning any database is an art. ACID is, however, a
great realtime analysis tool, and well worth the effort. 

I've installed ACID and a Postgres database on a moderate-sized machine
dedicated to the analysis/reporting function, and have the Snort probes
running on smaller boxes with dual NICs, the primary NIC being the sniffer
port, and the second being a private LAN to the analysis machine. ACID
performance is adequate, but not snappy.

I use ACID for followup analysis of events, and performance isn't a major
issue. The probes I've installed are autonomous, each having a modem and
phone line and some additional intelligence to do exception paging when
Snort detects a problem. So ACID's real strength for me is its analysis
capabilities once I've been paged.

> -----Original Message-----
> From:	Subba Rao [SMTP:subba9 at ...530...]
> Sent:	Thursday, September 06, 2001 9:44 AM
> To:	sandro.poppi at ...3316...
> Cc:	snort-users at lists.sourceforge.net
> Subject:	[Snort-users] Re: (Snort-users) Log analysis tools
> 
> On  0, sandro.poppi at ...3316... wrote:
> > 
> > Try ACID. It's not that simple to install because of various support
> packages
> > needed and it's database related, but you get all alerts when they
> happen
> > /nearly realtime) and it can be queried via a browser.
> > 
> > ACID can be found on http://www.cert.org/kb/acid/
> > 
> 
> Thank you for replying and this info. Is ACID a memory hog? SnortSnarf
> needs
> lot of tuning up(that is another discussion). I would assume that such
> (ACID)
> setup would be on a different box and not on the Snort agent itself.
> 
> Thank you once again.
> -- 
> 
> Subba Rao
> subba9 at ...530...
> http://members.home.net/subba9/
> 
> GPG public key ID CCB7344E
> Key fingerprint = A8DD 4CBA 1E9B D962 A55B  2B55 BAFE 92C5 CCB7 344E
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list