McAfee M-1250 IPS Configuration Guide - Page 146
Determining average alert rate-weekly, Database sizing requirements, View All Alerts
View all McAfee M-1250 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 146 highlights
McAfee® Network Security Platform 5.1 Managing IPS settings • Alert with packet log = 650 bytes (average) Space for packet logs must also be allocated in your database. The frequency of generated logs is typically less than that of alerts, but a packet log is generally larger in size than an alert. The average size of a packet log is approximately 450 bytes (based on 30,000,000 logs). Determining average alert rate-weekly A good reference point for determining your required database capacity based on the volume of alerts and packet logs is to find the average alert rate for a week, then multiply by a longer time frame such as 12 weeks, one year (52 weeks), and so forth. To do this, generate an Executive Summary Report using a one-week time horizon. 1 Click Reports from the Manager Home page. 2 Select Executive Summary Report. 3 Fill in the following fields to determine the average weekly alert rate: Admin Domain: select the root admin domain (default). Sensor: select ALL SENSORS (default if you have more than one Sensor). Alert Severity: make sure all three severities (Low, Medium, High) are checked. When all three are selected, Informational alerts are also included. Alert State: select View All Alerts. Both acknowledged and unacknowledged alerts are included for the specified time frame. Time Range: Choose Select alerts in the past: 1 Week(s). You do not need to adjust the "Ending" time fields. Get summary of: You do not have to adjust this field. Report Format: select a view of the report information from the following: HTML, PDF and Save as CSV. 4 Click Run Report once all of the above fields are set. This report displays your alert data in a presentation-style format (that is, tables and colored pie charts). The first pie chart details the "Total Alerts Per Sensor." Simply add the totals from each Sensor to determine the amount for one week. Database sizing requirements Based on the average size of an alert without packet, the following graph and table are provided to help you determine the database size required to store alert data for one year based on the number of alerts generated by your Network Security Sensors over a one week period. Note 1: For comparison, generation of 10,000 alerts per week is low, while 1,000,000 alerts per week is high. If you are generating 1,000,000 alerts per week, it is recommended that you check your applied Network Security Platform policies to determine if you are applying a policy that is an "exact" match for your protected network environment. 138