Argus Database.

Peter Van Epp vanepp at sfu.ca
Sat Mar 12 23:14:16 EST 2005 

	I've come to the conclusion (which Russell suggested long ago :-)) that
instead of fighting with memory exhaustion in perl scripts post processing 
argus output its time to let mysql do it for me. So far thats gotten as far as
me actually installing mysql on one of my test machines and no further. Its
my intent to start with the ra fields my scripts are currently using (which
are a subset) and see what happens but I expect progress to be slow. As noted
the start will be ra -> perl -> mysql but assuming I find something that works
the correct answer would be a new r client that writes directly to mysql. The
performace issues can probably be most easily beaten by being able to split
argus streams across multiple boxes (I don't currently have enough volume to 
need to do that, but the scripts as they stand can do it). Then assuming that
you are doing once a day summarization as I am you can combine the outputs
of multiple merged streams again in to a single output database.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

On Sat, Mar 12, 2005 at 05:07:05PM +1100, Chris Keladis wrote:
> Hi all,
> 
> I know this topic has come up before, but i was wondering how work was 
> going in adding database support for Argus output?
> 
> I've played around with raxml and managed to use a python script to 
> create a MySQL schema from the XML DTD (although it is very inefficient, 
> it's got the basic structure).
> 
> I was thinking about performance with database output and have been 
> thinking it might be best to use the same method Snort (IDS) uses to 
> support high-speed monitoring, with database output.
> 
> Snort employs a high-speed outfile format called unified output, which 
> is read by a post-processor, and using checkpoints, writes the data into 
> the RDBMS, leaving Snort free to handle the task of performing IDS.
> 
> Perhaps a similar tool would be useful with Argus?
> 
> Would appreciate your thoughts.
> 
> 
> 
> 
> 
> Regards,
> 
> Chris.

More information about the argus mailing list