>>> I would like to set up a firewall and network monitoring system using
>>> snort, acid, and postgres as a database. Has anyone had experinece using
>>> snort and acid?
>>
>> Yes. I had ACID working with both MySQL and PostgreSQL for snort. I was
>> monitoring 200Mb/s of bandwidth with the poor little box and was recording
>> a few million records a week of bad traffic. Needless to say the databases
>> faired pretty badly when it came time to go through what had been
>> collected. PostgreSQL did better on the handling of data getting added, but
>> MySQL was able to do the selects magnitudes of orders faster (e.g. 60
>> second read for MySQL, 3600 second read for PostgreSQL).
>>
>> Just for fits and giggles, I turned off all the rules and then just enabled
>> the telnet and FTP logger rules. Saw about 30,000 unique user
>> ids/passwords going each way in just a few hours. I deleted the data and
>> reinstituted the normal ruleset, but that was an interesting test of just
>> how easy it is to get that kind of information when the logins are insecure
>> like that.
> Your e-mail is interesting... Could you give me the details on the acid &
> postgres/mysql configuration? How did you take the output from acid and put
> it into the database? Do you have any code you can send me?
>
> The difference in the database selects is amazing! Do you have any output
> from the query analysis tools in postgres and mysql?
I think you are a bit confused. ACID doesn't put the data in the database,
snort does. ACID is for viewing the data that snort stored in the database. I
don't have access to any of the configs, but the docs were very straight forward
in setting up the logging to the databases (both MySQL and PostreSQL).
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)