[Snort-users] mysql, base, and snort and a plea for tips in general
David J. Bianco
david at ...13799...
Fri Jun 15 11:53:17 EDT 2007
John, I feel your pain, as I'm sure many others here do. A good IDS setup
can be kind of confusing if you've never dealt with one before. Here
are a few comments that may help you out:
1) Take the Snort training from Sourcefire if you can. They really do
go into a lot of detail about what snort is and how it works. It
also covers basic BASE tasks, rule maintenance, etc. Good stuff, and
you'll need this information on an almost daily basis. (Disclaimer,
I've taught those classes in the past, so I do have a sporadic business
relationship with Sourcefire. But it's still good advice if you have
a little cash to spend.)
2) You mentioned that you're using BASE. The most likely reason that your
database is slow is that you're not deleting alerts once you've looked
at them. You need to do this, otherwise you'll find things just getting
slower and slower. You can use BASE's "archive database" feature to
save specific alerts that you might need to refer back to later, but
in general you shouldn't keep very many alerts in the database.
3) Since you asked about alternatives to BASE... There are several, but
I think BASE is still the most popular. I'm part of the Sguil project
(www.sguil.net) which also uses Snort to generate IDS alerts, but it
encompasses lots of other different data sources, too. It's more of a
network forensic tool for intrusion analysts. However, it might help you
with your problem of interpreting the alerts. One of the reasons Sguil
exists is to quickly answer the analyst's questions about an alert.
Many people have found that being able to query Sguil for supporting
information really speeds the process up a lot. It can be a bear to get
up and running, though, I have to say. But if you're doing intrusion
analysis as a significant part of your job, it might be worth checking
John Baker wrote:
> I'm a new Network Administrator trying to get a grip on the snort setup
> that I inherited. It sends the output to a LAMP server with base and
> snortreport as the frontends. I noticed a little discussion about this
> over the last few days so I thought that I would ask for a little advice
> on my troubles. It seems to quickly become an unhelpful time sink.
> The first big problem I have is the simple maintenance of the database.
> It seems to easily and quickly get out of hand and slow queries waaaaay
> down while using almost all of the CPU.
> Are there any specific MYSQL indexes, joins, or maintenance scripts that
> are good for performance?
> I noticed somebody say that this setup is just not a good idea. Others
> have noted that barnyard can help.
> I understand how barnyard can help snort itself but how can it help the
> MYQL end? And what is a better setup that mysql/base?
> And last, I could really use a good guide to interpreting the alerts
> themselves. It sucks up a lot of my time just figuring out whether
> something is important or not. Does anybody have any good suggestions
> for interpretation guides?
More information about the Snort-users