[Snort-users] Data Reduction

Brett.Gillett at ...6663... Brett.Gillett at ...6663...
Thu Nov 7 13:37:02 EST 2002


Hey everyone,

This question is an extenstion to my last one about a bad SQL statement; I
think we have figured that out.  I wanted to get everyone's thought on data
reduction.
What we want to do is store less data for more time, but we are having a
hard time actually deciding what to keep.  We would like to come up with 3
stages,

     1st stage - Snort DB
     2nd stage - medium
     3rd stage - long-term storage

We have come up with the following list for long-term storage,

timestamp,signature,sig_class_id,ip_src,tcp_sport,ip_dst,tcp_dport,ip_proto

What I am after are suggestions for the 2nd stage; in addition to above
what do you think would be worth keeping.

Thanks,

Brett





More information about the Snort-users mailing list