[Snort-users] Question on database for Snort

FWAdmin FWAdmin at ...8484...
Tue Apr 1 11:51:17 EST 2003

I wasn't being sarcastic. I was being truthful, I appreciate the responses I
have gotten so far. Within a few hours a few people responded with their
setup, which is what I wanted. You are so far off base, you are playing a
different sport.

I have been doing some research and have found that there is quite a variety
of databases that Snort works with reliably, and I thought that people on
this message board would have something to contribute, telling me what they
are using in their environments and perhaps what I should watch out for.

I have a hard time believing you are calm and easy going if one post pushed
your last nerve. And its hard to believe that you have no time on your hands
if you are willing to bash on someone for a simple statement which was just
to thank the people on this board, and of which you have no evidence that I
was stating something to the contrary. It was quite amazing what you pulled
out of that one statement and assumed immediately. I'm going to assume you
are having a bad hair day and leave it at that.

Despite your initial response, thank you for your opinion on the databases,
and don't read between the lines as much. I am not a 13 year old script
kiddie who can't behave. I am a security professional who appreciates the
responses of the individuals on this board.



-----Original Message-----
From: Erek Adams [mailto:erek at ...950...] 
Sent: April 1, 2003 10:32
To: FWAdmin
Cc: Snort-Users
Subject: RE: [Snort-users] Question on database for Snort

On Tue, 1 Apr 2003, FWAdmin wrote:

> Great response so far guys.

If easily offended, please skip the next section and see the lower response.

<rant mode on>
Hi, Good morning.  Since we, the collective snort-users community, didn't
respond fast enough to satisfy you, we would sincerely like to tell you take
a long walk off a very short pier.  Thank you have a nice day.

Now, let's put this into perspective:  You are using a OpenSource program.
You are asking questions of the OpenSource community for that program. You
will be using this information for "a customer", which implies a monetary
gain from this.  We (the community) are helping out of the goodness and
willingness of our own hearts--Translation, we're not getting paid.  Now,
I'm all for helping people and that's pretty damned obvious. But, I when
someone becomes a bit aggravated over the fact their question wasn't
answered in what _they_ consider a timely manner--It just amazes me.  It
makes me _not_ want to help that person.  If they are going to be that crass
and rude, why should I take the time from my life to help?  I have a
life--Ok, It may not seem that way, but I do.  I have doctor appointments,
lunch with the wife, job interviews, and dinner to cook.  I don't always
_want_ to take time to answer questions.  Sometimes I see an email that
_really_ raises my blood pressure.  This is a perfect example.

You have apparently done _no_ research.  You've gotten no data on you own.
If you have, you don't mention it.  So at this point, the way it's coming
across:  "Hi, I can't do my own job.  Do it for me.  I can't think on my
own.  Please do it for me.  If you don't do my job right now, I'm going to
throw a temper tantrum."  I might and could be off base with this, but
that's the way you come across.  I'm usually quite calm and easy going, but
I'm sorry, this just pushed my last nerve.

Please, in the future before you post, read these two links:


</rant mode>

Now that that's over, lets see what we can do to get you an answer.

> Anyone use Microsoft SQL Server 2000? Just curious.

Yes, quite a few.  Check the mailing list archives [0] for mssql.

> -----Original Message-----
> From: FWAdmin [mailto:FWAdmin at ...8484...]
> Sent: March 31, 2003 10:42
> To: Snort-Users
> Subject: [Snort-users] Question on database for Snort
> Hello all. I am going to be doing a rather large Snort deployment for 
> a customer and I would like some opinions as to what back end database 
> to use for the Snort log files and data. I am using Red Hat 7.3 with 
> MySQL and ACID right now, but I would like to hear what others use in 
> their customer environments. We will probably stick with HP / Compaq 
> hardware, as that is the environment standard, but that is also open 
> to suggestions or comments.

MySQL, Postgres, Oracle and MSSQL are the most common.  Oracle isn't
supported via ACID, so you'd have to use something else.  From a recent
discussion on the list, it seems that ACID starts to have problems with it's
SQL queries around ~800k alerts.  Other folks who are using their own
interface are getting excellent response times well into the 1.6m alert

Short Answer:  Use what you know and what you are comfortable with.  You
will have to do DB maintenance, so keep in mind that you want it to be
'usable'.  With MySQL+ACID you will have to prune the DB often to keep it

Oh, and 4 penalty drinks.  :)  (Trim those sigs next time!)

Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]	http://marc.theaimsgroup.com/?l=snort-users&r=1&w=2

This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission,  distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any printout thereof, immediately. Your
co-operation is appreciated. 

Le present courriel (y compris toute piece jointe) s'adresse uniquement a
son destinataire, qu'il soit une personne ou un organisme, et pourrait
comporter des renseignements privilegies ou confidentiels. Si vous n'etes
pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de
retransmettre, de distribuer, de disseminer, de copier ou d'imprimer ce
courriel, d'agir en vous y fiant ou de vous en servir de toute autre facon.
Si vous avez recu le present courriel par erreur, priere de communiquer avec
l'expediteur et d'eliminer l'original du courriel, ainsi que toute copie
electronique ou imprimee de celui-ci, immediatement. Nous sommes
reconnaissants de votre collaboration. 

More information about the Snort-users mailing list