Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
851 Views 5 Replies Latest reply: Jul 4, 2013 4:20 AM by uzanatta RSS
rabremmer Newcomer 14 posts since
Dec 3, 2012
Currently Being Moderated

Dec 5, 2012 3:34 PM

Data Source Model: ASP or not ASP?

In my data souce configuration I have noticed severial times that I have an option for a Data Source Model with and without an "(ASP)" on the end.  For example, I have a Trend Micro Deep Security device.  Both Deep Security and Deep Security (ASP) are listed as Data Souce Model options.  How do I know which one to use and are there advantages/disadvantages of one over the other?

 

Second question:  What does ASP stand for in this usage?  I doubt it's the Association of Surfing Professionals.

 

Message was edited by: rabremmer on 12/5/12 3:34:17 PM CST
  • anthony_hardin Newcomer 5 posts since
    Oct 19, 2012
    Currently Being Moderated
    1. Dec 5, 2012 3:58 PM (in response to rabremmer)
    Re: Data Source Model: ASP or not ASP?

    This is a very good question indeed. I’ll start out bysaying ASP stands for Advanced Syslog Parser. The ASP parsers are rule-basedwhereas anything none-ASP is code based. The advantages for using ASP overnon-ASP would be performance and the usability.

     

    For example: You set your data source up to use the non-ASPversion and you noticed that some of your logs don’t trigger events or maybesome of the events are mapping incorrectly. Since this is a code-based parseryou would be stuck with what is there until a new release is shipped with theenhancements for the parser.

     

    With the ASP version this isn’t the case at all. Let’sassume your events aren’t mapping or maybe the mappings are incorrect. With theASP version you can log a Product Enhancement Request (https://mcafee.acceptondemand.com/index.jsp)and our rules team could, depeding on the request, correct the issue andrelease new or updated rules. The customer would then just need to get a rulesupdate and they would have the corrected rules in place. This is much fasterthan waiting for an actual code change to be released.

     

    TheASP engine is also far faster when processing rules than the code basedparsers. So, If you ever have a choice between the none-ASP and ASP version,always choose the ASP version.

     

  • althena Newcomer 14 posts since
    Jun 11, 2013
    Currently Being Moderated
    2. Jun 29, 2013 12:37 PM (in response to anthony_hardin)
    Re: Data Source Model: ASP or not ASP?

    Time to revive an old thread...

     

    Can you confirm that this is really the case?

     

    I believe code-based parsers would be faster than ASP, being code based... The disadvantage would be that we can't customize our rules.

     

    Can you please confirm that ASP is actually faster than code based? I always prefer ASP but I sometimes chose code-based parsers thinking they were binaries, and thus faster.

  • uzanatta Apprentice 88 posts since
    Oct 17, 2012
    Currently Being Moderated
    3. Jul 3, 2013 9:07 AM (in response to althena)
    Re: Data Source Model: ASP or not ASP?

    Hi,

     

    Data Source model ASP and none-ASP sometimes work in different way and parse different rules, so you have to try both of them before having the right choice.

  • althena Newcomer 14 posts since
    Jun 11, 2013
    Currently Being Moderated
    4. Jul 3, 2013 6:40 PM (in response to uzanatta)
    Re: Data Source Model: ASP or not ASP?

    Ok, but for a syslog data source, which one would be faster? Say you have 20 rules ASP, 20 rules code based, for the same logs? There should be a clear winner, but the post by Anthony infers that this would be the ASP parser, in terms of performance.

     

    I do not know of a way to test parser performance directly...

  • uzanatta Apprentice 88 posts since
    Oct 17, 2012
    Currently Being Moderated
    5. Jul 4, 2013 4:20 AM (in response to althena)
    Re: Data Source Model: ASP or not ASP?

    Hi,

     

    in my opinion you should refer on EPS. If the receiver collects eg 5000 EPS, it will able to collect 5000 EPS indipendentemente on type of Data Source.

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points