[Sguil-users] Re: sguil IDS management and operation
Status: Beta
Brought to you by:
bamm
From: Richard B. <tao...@gm...> - 2004-12-07 23:13:20
|
On Tue, 7 Dec 2004 14:23:10 -0500, Jin Fang <jin...@ut...> wrote: > Hi Rich, > > We have just deployed sguil snort IDS into our distributed environment (with > about 10 sensors) > > But it is awfully to see large data traffic flooding the console. I am > seeking the flexibility to manipulate database (e.g, data selection by date, > data deletion, data archive, or purge data from event view) unfortunately I > can only find the menu to purge session data. > > Do you have any experience of managing sguil database in a operational > environment? > > ******************************************** > > Jin Fang > Network Security Specialist > > Computing and Networking Services > > University of Toronto Hello, It sounds like you have two issues: 1. You run untuned sensors that generate far too many alerts. 2. You let the alerts "pile up" in the interface and never categorize and clear them. If you haven't read chapter 10 from my book describing how to use Sguil, I recommend doing so. It's online in multiple forms. [0] If you've already done that, join us in #snort-gui on irc.freenode.net and we'll chat. Sincerely, Richard [0] http://www.taosecurity.com/books.html |