RE: Anyone using "Enterprise implementation"?

[Tom Van Overbeke <tvanoverbeke () ccncsi net>]

If you're getting that much of info in only 8 hours, i suggest you finetune
your snort config first. there can't possibly be that much of interesting
information in such a short timeframe.


Tom.




> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of
> Emre Bastuz
> Sent: 26 August 2003 11:04
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Anyone using "Enterprise implementation"?
>
>
> Hi,
>
> I´ve been planning to deploy Acid+Snort+Snortcenter in an "enterprise"
> scenario with about 10 sensors with GigE Interfaces and one managment
> machine with mysql,apache, etc..
>
> During my initial test Snort wrote about 6 Gig of information from
> sensor to managment machine within 8 hours.
>
> Not that I did not expect this but the mysql queries on the
> Acid console
> take forever thus leaving the system completely useless.
>
> I read the FAQ and also did some serious Googling to learn
> how to improve
> performance but creating indexes and tuning buffers did not
> really help.
>
> Is anyone out there using Acid+Snort+Snortcenter in an
> environment like I´m
> planning to do?
>
> How do you guys handle the huge data that is being written to the db?
>
> Just wondering: just one sensor with GigE, sniffing on
> 3x100mbit is generating
> that much data, how does Acid+Snort scale when using with
> more sensors?
>
> I could live with doing daily archives of the database but
> I´m afraid with
> multiple sensorts I would have to switch to archiving every
> 12 or 6 hours.
>
> Any solution or suggestion? Even links, faq´s and docs I
> might have missed are
> very welcome :)
>
> Emre
>
> --
> info () emre de              http://www.emre.de
> UIN: 561260           PGP Key ID: 0xAFAC77FD
> I don't see why some people even HAVE cars. -- Calvin
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a
> single machine.
> WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
> at the same time. Free trial click
> here:http://www.vmware.com/wl/offer/358/0
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



****************************************************************************
Disclaimer: 
This electronic transmission and any files attached to it are strictly 
confidential and intended solely for the addressee. If you are not 
the intended addressee, you must not disclose, copy or take any
action in reliance of this transmission. If you have received this 
transmission in error, please notify the sender by return and delete
the transmission.  Although the sender endeavors to maintain a
computer virus free network, the sender does not warrant that this
transmission is virus-free and will not be liable for any damages 
resulting from any virus transmitted. 
Thank You.
****************************************************************************



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users