[Oisf-users] Re : Record traffic as soon as a thread is detected

Cooper F. Nelson cnelson at ucsd.edu
Fri Sep 29 13:14:33 UTC 2017

We (the University of California) invented PostgreSQL in the 1980's, I
can assure you that there is nothing new about it.

Re:  the lack of authentication, I'm personally fine with that. 
Provided your sensor has enough cores (meaning it is not
oversubscribed), you can run ES on the same box with very close to no
performance impact if you set the priorities properly.  Either run suri
with a niceness of -20 or ES at 19 and it will essentially run only when
the suricata threads are idle.

The reason I recommend moloch is that very often you need to see the
entire 'kill chain' in context to really understand what is happening,
so you might as well record everything.


On 9/29/2017 1:58 AM, Jean-Michel Pouré wrote:
> Moloch seems to rock, but what do you think of Elastic Seach (ES)? I
> participated in some PostgreSQL dev and looking at ES, ES looks like
> chaos. ES does not even provide authentication.
> Why do some guys even **think** about using those old technologies when
> PostgreSQL provides all foundations to implement the same features, but
> in a real database.
> OK, now I gotta ask on the ML if PostgreSQL is in the radar...

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170929/f352d4e6/attachment-0002.sig>

More information about the Oisf-users mailing list