[Snort-users] Multiple Sensors to 1 DB Server

Jason Haar Jason.Haar at ...294...
Tue Oct 15 05:12:27 EDT 2002


On Fri, Oct 11, 2002 at 07:19:59PM +0000, Dragos Ruiu wrote:
> Watch the insert speed, it not only slows down as the DBs get bigger
> but it tops out around about 500-700 alerts per second for MySQL
> on typical machines.


Heh. Could be the least of your problems...

We run snort on standalone boxes on our WAN, however we do centralized
testing of new rulesets/versions, and then rsync them out. 

I had the fun event of updating snort from 1.8 to 1.9, testing it within our
particular environment, then pushed it out to te other IDSes. Immediately
one of then spiked as they had some crap SNMP traffic that triggered a
prcprocessor alert - 50-100/second...

If we had centralized reporting (which I *really* want), we would have
SATURATED our WAN links...

Even with nice, local testing, IMHO centralized logging is too dangerous to
do over WANS. DDoS is too big a risk (and who wants to explain to the
company that "the IDS brought down the link"...)

BTW: would the snort schema now allow me to run local SQL DBs, and merge
them into a central store without any extra magic? I know that was an issue
6months ago... That would then allow me to "clean up" local snort DBs, then
merge them into a central store for centralized monthly
reporting/whatever...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-users mailing list