[Snort-users] snort web interface

Jason Meller jason.meller at ...11827...
Wed Aug 24 11:03:25 EDT 2011


Mike,

Sorry I forgot to address that point. Snorby "classifies" events in the
Snort DB. Once classified, events are hidden from the event view in the
front-end. We did this so that in the future you could still search
and correlate old events that were classified months or years ago. We want
to get people out of the habit of deleting things they are done processing
as the data may be useful later (think of people used to delete email after
reading before gmail)

The obvious disadvantage of this approach is that the DB can grow rapidly if
you have really noisy rules. To address that, we've added some
basic auto-pruning options once the events get above a certain configurable
number.

I hope that clarifies everything!

- Jason

On Wed, Aug 24, 2011 at 10:46 AM, Mike Lococo <mikelococo at ...11827...> wrote:

> On 08/24/2011 09:44 AM, Joel Esler wrote:
> > Let's leave the insults on the sidelines and highlight the good and
> > bad of each interface, and perhaps, if there are shortfalls,  let's
> > point them out, hopefully the developers (BASE included, not just you
> > Dustin) will take the shortfalls and add to their respective
> > projects.
>
> Agreed.  Calling someone an "idiot" or a "dick" is an ad hominem attack
> and is inappropriate mailing list behavior that does nothing to further
> the discussion.  You can be honest about incorrect facts or misguided
> advice without resorting to name calling.
>
> Jason's response was extremely helpful but didn't address the question
> of whether Snorby can clean old events out of the database, which is the
> one actual technical criticism that has been made of Snorby in this
> thread.  Can it delete events, and if not is that feature on the
> roadmap, or is there a recommended workaround?  The schema is complex
> enough that manually cleaning events in SQL is beyond most folks ability.
>
> Cheers,
> Mike Lococo
>
>
> ------------------------------------------------------------------------------
> EMC VNX: the world's simplest storage, starting under $10K
> The only unified storage solution that offers unified management
> Up to 160% more powerful than alternatives and 25% more efficient.
> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110824/633a8193/attachment.html>


More information about the Snort-users mailing list