Re: [Sguil-users] NSM Spec profiling

[Paul S. <pa...@ut...>]

There's some problems with your spec sheet.  What if I'm using more than 
one box for sguil?  Your sheet assumes only one box - not even multiple 
CPUs.  What is "Partition Format"?  What is "Full Content Data 
Duration"?  What if I have more than one hard drive?  More than one NIC?

For example, we're running snort with sguil sensor on a dual processor 
AMD box with three NICs.  The server runs on a single processor Intel 
box and the database runs on a separate single processor Intel box. 
Each box has different specs, different NICs, different number of hard 
drives.  If you're serious about collecting specs, you need to allow for 
all those possibilities (and more, I'm sure.)

You also don't ask things like "with or without sancp?, with or without 
ethereal?, etc., etc."  What about the client?  What's it runniing on? 
Or is that not part of the equation?  If not, why not?

Those are just some immediate thoughts.

CS Lee wrote:
> To all the sguil users,
> 
> I'm currently correcting the info to profile the sguil device including 
> hardware and software spec, I have requested such info previously but 
> only having one feedback. Since Richard told me it would be good to have 
> the info in form format , I have created the form so that anyone can 
> just download the form and fill it. All the infos collected will be 
> published after I have compiled it. I think this may help the 
> communities when comes to deploying NSM.
> 
> You can download the form here either in open office or doc format.
> 
> http://www.dissectible.org/anonymous/Misc/NSM-spec.odt
> 
> http://www.dissectible.org/anonymous/Misc/NSM-spec.doc
> 
> 
> I'm pleased to hope that everyone at least fill in the form and submit 
> to me. Thanks.
> 
> -- 
> Best Regards,
> 
> CS Lee<geek00L[at]gmail.com>


-- 
Paul Schmehl (pa...@ut...)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/