Snort mailing list archives
Problems archiving lots of alerts using ACID
From: "Crow, Owen" <Owen_Crow () bmc com>
Date: Mon, 15 Jul 2002 18:06:26 -0500
My Setup: Sun E250, 2x400MHz, 1GB RAM OS is on 2 DiskSuite mirrored 18GB disks. Apps and database are on 4 Veritas RAID-5 18GB disks. (yech, I know) Solaris 2.8 Apache 1.3.26 mysql-3.23.49-sun-solaris2.8-sparc package provided by mysql.com PHP 4.1.2 (mod_php) I'm trying to archive some of my largest batches of alerts. Here is one of the top alerts (cut and pasted from ACID): WEB-IIS multiple decode attempt web-application-attack 29416 (6%) I click the check box next to the alert, select "Archive alert(s) (move)" from the drop down and click the "Selected" button. After about 10-15 minutes, the web browser returns an error and when I go back to the top 5 alerts page, there are only about 300 alerts archived. Successive attempts show the same pattern: WEB-IIS multiple decode attempt web-application-attack 29137 (5%) (279 archived) WEB-IIS multiple decode attempt web-application-attack 28815 (5%) (322 archived) WEB-IIS multiple decode attempt web-application-attack 28508 (5%) (307 archived) WEB-IIS multiple decode attempt web-application-attack 28199 (5%) (309 archived) WEB-IIS multiple decode attempt web-application-attack 27916 (5%) (283 archived) WEB-IIS multiple decode attempt web-application-attack 27481 (5%) (435 archived) I have successfully archived up to 20,000 alerts at one time in the past. I've checked the Apache logs for any errors and the mysql logs don't appear to be recording (i.e. I can't find a mysqld.log anywhere). I'm not a very savvy MySQL admin, and have not been able to find any meaningful logs. The ACID-FAQ B-10 alludes to making some extra indexes, but doesn't include instructions for creating them. I've optimized both the primary and archive databases using the procedure in B-10 (the last archive attempt above shot up about 50%). Here's some summary stats to give an idea of how big my database is: Sensors: 25 [This is actually 3 sensors with a succession of BPF filters applied.] Unique Alerts: 715 ( 23 categories ) Total Number of Alerts: 541495 Source IP addresses: 13800 Dest. IP addresses: 45986 Unique IP links 69740 I've toyed with max_execution_time in php.ini, going from 30 to 300 to 900, with no effect. Any suggestions or good chapters in manuals to read about this? Thanks, Owen Crow Systems Programmer (Unix) BMC Software, Inc. ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems archiving lots of alerts using ACID Crow, Owen (Jul 15)