[Snort-users] AW: (Snort-users) Log analysis tools

Fraser Hugh hugh_fraser at ...2804...
Fri Sep 7 08:20:02 EDT 2001

There seems to be a lot of concern over the performance of ACID with large
databases. Our site is no different if I install Snort using the standard
rules out-of-the-box. Viruses like Code Red flooded my Internet IDS with
tens of thousands of alerts, but in most cases (certainly in ours), the IIS
patches have been applied, the firewalls re-configured, or whatever you do
to protect yourself, and the attacks just become more background noise from
the Internet. I'm not overly confident of our firewall's abilities, and do
run a second probe inside our firewall that continues watch for things like
Code Red that should have been blocked or are generated from within, but the
outside probe does not.

I also archive and and then purge the database daily (via automated scripts,
not manually), keeping no more than 7 days worth of traffic in it. That's an
arbitrary value, but it's long enough to allow me to detect "paranoid" nmap
scans which I used as a yardstick. I do continuous statistcal "control
chart" type analysis of the data, looking for significant changes in traffic
by host and by event.

Bottom line... my online database never gets into the millions of records
big. In fact, it's usually in the low tens-of-thousands.

> -----Original Message-----
> From:	sandro.poppi at ...3316... [SMTP:sandro.poppi at ...3316...]
> Sent:	Thursday, September 06, 2001 9:52 AM
> To:	subba9 at ...530...
> Cc:	snort-users at lists.sourceforge.net
> Subject:	[Snort-users] AW: (Snort-users) Log analysis tools
> > > Try ACID. It's not that simple to install because of
> > various support packages
> > > needed and it's database related, but you get all alerts
> > when they happen
> > > /nearly realtime) and it can be queried via a browser.
> > >
> > > ACID can be found on http://www.cert.org/kb/acid/
> > >
> >
> > Thank you for replying and this info. Is ACID a memory hog?
> Well, I'm running snort on 4 interfaces (100 MBit/s FD, average to low
> utilization) and also SnortSnarf and ACID including a mysql database all
> on a
> PIII/800 with 256 MB RAM. I did not have any memory or cpu probs yet
> (pssst: I'm
> running also ntop to get infos about the utilization of the interfaces on
> the
> same machine, but please don't tell it to others >8).
> > SnortSnarf needs
> > lot of tuning up(that is another discussion). I would assume
> > that such (ACID)
> > setup would be on a different box and not on the Snort agent itself.
> Of course this is a better solution especially if you are using more than
> one
> snort sensor to log into the same database. But as said before, no probs
> yet.
> >
> > Thank you once again.
> Anytime,
> Sandro
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list