Snort mailing list archives

RE: Anyone using "Enterprise implementation"?

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 27 Aug 2003 07:45:45 -0500

-----Original Message-----
From: Jason Haar [mailto:Jason.Haar () trimble co nz] 
Sent: Tuesday, August 26, 2003 11:18 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Anyone using "Enterprise implementation"?


On Tue, Aug 26, 2003 at 05:26:57PM +0200, Tom Van Overbeke wrote:

If you're getting that much of info in only 8 hours, i suggest you 
finetune your snort config first. there can't possibly be

that much of

interesting information in such a short timeframe.


Well yeah he does have a problem - but I'd still like to hear 
from others running large MySQL databases. Pretend for a 
moment that's a years worth of data. Just what can you do to 
improve performance? (I'd like to know - I'm no SQL person, 
and I'm getting complaints about the performance of our <1M 
record ACID installs)

You do what I'm doing.  You archive everything older than seven days.
We also got one of our programmers to write a small php page that gives
us a quick snapshot of the last hour's worth of data.  Acid is simply
not going to give you performance with over 1 million hits.  Even a half
million is pushing it.

Or try out Bamm's "squil".  I haven't done it yet (but plan to), so I
can't tell you how well it performs on large dbs.  I *can* tell you that
our php page still loads with a 15,000,000 event db (but not fast) while
ACID just gives up the ghost.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Anyone using "Enterprise implementation"?, (continued)
- Re: Anyone using "Enterprise implementation"? Herve Debar (Aug 27)
- Re: Anyone using "Enterprise implementation"? Emre Bastuz (Aug 27)
  - Re: Anyone using "Enterprise implementation"? Nagesh Chavan (Aug 28)
- RE: Anyone using "Enterprise implementation"? Hutchinson, Andrew (Aug 26)
- RE: Anyone using "Enterprise implementation"? Kreimendahl, Chad J (Aug 26)
  - RE: Anyone using "Enterprise implementation"? Michael Steele (Aug 26)
  - Re: Anyone using "Enterprise implementation"? cc (Aug 26)
    - Re: Anyone using "Enterprise implementation"? Rich Adamson (Aug 27)
    - RE: Anyone using "Enterprise implementation"? Tom Van Overbeke (Aug 27)
    - Re: Anyone using "Enterprise implementation"? Jason Haar (Aug 31)
- RE: Anyone using "Enterprise implementation"? Schmehl, Paul L (Aug 27)
- RE: Anyone using "Enterprise implementation"? Michael Miller (Aug 27)
- RE: Anyone using "Enterprise implementation"? Hutchinson, Andrew (Aug 27)
- RE: Anyone using "Enterprise implementation"? Kreimendahl, Chad J (Aug 27)