[Snort-users] Multiple Sensors to 1 DB Server

Dragos Ruiu dr at ...50...
Fri Oct 11 19:22:02 EDT 2002


Watch the insert speed, it not only slows down as the DBs get bigger
but it tops out around about 500-700 alerts per second for MySQL
on typical machines.

One nice solution for this is to use nitrodata.com's high-speed database 
(When I was there, Soucefire was using this, I'll let them comment about 
their new stuff)  which can achieve and order of magnitude faster
performance at about 5000 inserts per second. Talk to Jed Haile,
at Nitro Data, he knows a lot about this stuff and can probably tell 
you how to test the boundary conditions...

cheers,
--dr


On October 11, 2002 10:54 pm, Kevin Brown wrote:
> It is possible, I have done it with Snort logging to a remote SQL db.  That
> is what the SID field is for (which sensor logged that packet).  Just have
> to make sure that mysql will allow each of the sensors to log into the same
> database and have only the minimum of permissions needed to log (insert,
> select, update).
>
> -----Original Message-----
> From: The infoSphere
> To: Snort
> Sent: 10/11/02 1:20 PM
> Subject: [Snort-users] Multiple Sensors to 1 DB Server
>
> I have done this on a smaller scale(1 sensor to 1 DB server) before but
> not with a bunch of sensors (more that one (2+) sensors to one(1) DB
> server), I was just wondering if anyone has setup multiple snort senors
> to log to one central DB server running MySQL. Pretty much my question
> is a  few yes' or no's unless there may be an issue,
>
> Does Snort along with MySQL handle this well,
>
> and or are there any potential issues or pitfalls i should be aware of.
>
> Can i just tell the senors to log the central DB server and all will be
> well.
>
> I know how to do the configurations and i have worked out a solution
> for when the connections to the central server may go down while taking
> into account actions to be taken on both the DB server and the sensors
> so that no information gets lost, which I hope to be able to release to
> the community soon. I just need to know if this should work OK or not.
>
> There should not be any issue with having the central DB hold info for
> multiple sensors right? This goes for things like primary keys in the
> DB and all that good stuff.
>
>
> Thanks a million in advance for any help or advice,
>
> The infoSphere
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
dr at ...50...  pgp: http://dragos.com/dr-dursec.asc
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
  of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002





More information about the Snort-users mailing list