Re: Optimizing Snort, MySQL & BASE installation

[Kevin Johnson <kjohnson () secureideas net>]

On Mon, 2005-07-04 at 11:33, Affan Basalamah wrote:
> Hi all,
>
> The problem about it is Alert management. After running it for one
> day, the BASE console start working slowly, took very long time to
> display the main console, and unable to run queries on Most Recent 15
> Unique Alert and Most Frequent 5 Unique Alert. Mostly we have 1
> million Alert for 1 day operation. I have already minimize my
> signature to detect only most frequent alert, such as worm/virus. The
> false positives have been commented out of my snort.conf and signature
> files.

This is a common complaint.<g>

> Snort version is 2.3.3, MySQL is 4.1 and BASE is 1.3.3, Schema Version
> 106. The configuration is mainly uses default parameter.

While the defaults are decent for performance, they aren't the best.  

> I want to know how is the solution about my problem. Do I have to
> optimize my MySQL settings ? 

Yes.

> Do I have to use Barnyard ?  

Barnyard will not help the performance of BASE but will help with Snort
itself.  I recommend it!

> Do I have to
> delete or archive my Alert database regularly ? 

You do not have too.

> Is information on ACID
> websites about optimization is still relevant to BASE ?

Yes, for the most part it is still valid.  We are in the process of
upgrading the BASE site to have more information.

> This is my first experience with Snort/MySQL/BASE, and I appreciate
> all the help I can get.

Thanks for trying it out.

> -affan

Kevin
-------------------
BASE Project Lead
http://sourceforge.net/projects/secureideas
http://base.secureideas.net
The next step in IDS analysis!

Attachment: signature.asc
Description: This is a digitally signed message part