[Snort-users] Question on database for Snort

Erek Adams erek at ...950...
Tue Apr 1 06:37:23 EST 2003


On Tue, 1 Apr 2003, FWAdmin wrote:

> Great response so far guys.

If easily offended, please skip the next section and see the lower
response.

<rant mode on>
Hi, Good morning.  Since we, the collective snort-users community, didn't
respond fast enough to satisfy you, we would sincerely like to tell you
take a long walk off a very short pier.  Thank you have a nice day.

Now, let's put this into perspective:  You are using a OpenSource program.
You are asking questions of the OpenSource community for that program.
You will be using this information for "a customer", which implies a
monetary gain from this.  We (the community) are helping out of the
goodness and willingness of our own hearts--Translation, we're not getting
paid.  Now, I'm all for helping people and that's pretty damned obvious.
But, I when someone becomes a bit aggravated over the fact their question
wasn't answered in what _they_ consider a timely manner--It just amazes
me.  It makes me _not_ want to help that person.  If they are going to be
that crass and rude, why should I take the time from my life to help?  I
have a life--Ok, It may not seem that way, but I do.  I have doctor
appointments, lunch with the wife, job interviews, and dinner to cook.  I
don't always _want_ to take time to answer questions.  Sometimes I see an
email that _really_ raises my blood pressure.  This is a perfect example.

You have apparently done _no_ research.  You've gotten no data on you own.
If you have, you don't mention it.  So at this point, the way it's coming
across:  "Hi, I can't do my own job.  Do it for me.  I can't think on my
own.  Please do it for me.  If you don't do my job right now, I'm going to
throw a temper tantrum."  I might and could be off base with this, but
that's the way you come across.  I'm usually quite calm and easy going,
but I'm sorry, this just pushed my last nerve.

Please, in the future before you post, read these two links:

  http://marc.theaimsgroup.com/?l=snort-users&m=104230179003344&w=2
  http://www.theadamsfamily.net/~erek/snort/drinking_game.txt

</rant mode>

Now that that's over, lets see what we can do to get you an answer.

> Anyone use Microsoft SQL Server 2000? Just curious.

Yes, quite a few.  Check the mailing list archives [0] for mssql.

> -----Original Message-----
> From: FWAdmin [mailto:FWAdmin at ...8484...]
> Sent: March 31, 2003 10:42
> To: Snort-Users
> Subject: [Snort-users] Question on database for Snort
>
>
> Hello all. I am going to be doing a rather large Snort deployment for a
> customer and I would like some opinions as to what back end database to use
> for the Snort log files and data. I am using Red Hat 7.3 with MySQL and ACID
> right now, but I would like to hear what others use in their customer
> environments. We will probably stick with HP / Compaq hardware, as that is
> the environment standard, but that is also open to suggestions or comments.

MySQL, Postgres, Oracle and MSSQL are the most common.  Oracle isn't
supported via ACID, so you'd have to use something else.  From a recent
discussion on the list, it seems that ACID starts to have problems with
it's SQL queries around ~800k alerts.  Other folks who are using their own
interface are getting excellent response times well into the 1.6m alert
range.

Short Answer:  Use what you know and what you are comfortable with.  You
will have to do DB maintenance, so keep in mind that you want it to be
'usable'.  With MySQL+ACID you will have to prune the DB often to keep it
manageable.

Oh, and 4 penalty drinks.  :)  (Trim those sigs next time!)

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]	http://marc.theaimsgroup.com/?l=snort-users&r=1&w=2




More information about the Snort-users mailing list