[Snort-users] Alternative to BASE

Bamm Visscher bamm.visscher at ...11827...
Wed Apr 28 15:09:52 EDT 2010


Ouch. Okay, I'll bite.

Most of the scaling problems I have seen have more to do with
insufficient hardware (trying to do full packet capture of a 100Mbps
link on a 80GB IDE disk or put a couple million rows per day of SANCP
data into a vastly undersized mysql DB), poor architecture decisions
(where you put sensors is important), or a misunderstanding of what
analysis using Sguil means.

If anyone is having problems with scaling, please let me know.  I have
over 100 sensors deployed on various links from 10Mbps to 1Gbps. All
reporting to a (single) central Sguil server and MySQL DB. Yeah, there
were some hurdles to overcome and hopefully I can get those lessons
learned into the CVS soon.

Bamm


On Wed, Apr 28, 2010 at 2:45 PM, Jeff Kell <jeff-kell at ...6282...> wrote:
> On 4/28/2010 12:27 PM, Stephen Mullins wrote:
>> As an analyst I can tell you that Sguil is the best IDS analysis front
>> end that I have ever seen.  It blows anything web based out of the
>> water.
>>
>
> But it only scales up to a point (as many/most "IDS analysis" tools,
> each has their threshold of pain).
>
> Jeff
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list