Snort Alerts

From NSMWiki
Jump to: navigation, search

The following are example Snort disk usage scenarios for various production sensors. Please follow the initial templates when adding your information. Thank you!

Data Collection Methodology

Disk Usage: This is the amount of space occupied by the Snort .frm, .MYD, and .MYI files in /var/db/mysql/sguildb for the period in question (30 Jun - 13 July, inclusive).

$ du -chs *event*20070630* *event*2007070* *event*20070710* \
> *event*20070711* *event*20070712* *event*20070713*

Record Count: This is the number of records in the event database for the period in question (30 Jun - 13 July, inclusive).

$ mysql -u sguil -p sguildb -A -e "SELECT count(*) FROM event WHERE \
> start_time > '2007-06-30 00:00:00' and start_time < '2007-07-14 00:00:00'"
  • Example 1: Sguil installation
    • Period Collected: 14 days
    • Monitored Link: 6 Mbps (four bonded T-1s)
    • Maximum Bandwidth: Unknown
    • Average Bandwidth: Unknown
    • Disk Usage: 1.6 MB
    • Record Count: 3789
  • Example 1: Sguil installation
    • Period Collected: 14 days
    • Monitored Link: 6 Mbps (four bonded T-1s)
    • Maximum Bandwidth: Unknown
    • Average Bandwidth: Unknown
    • Disk Usage: 1.3 MB
    • Record Count: 3114