Snort mailing list archives
Re: Snort populates Mysql a lot
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 23 Dec 2010 14:06:38 -0500
119 is a generator ID 19 is the SID. 119 || 19 || http_inspect: LONG HEADER http://www.snort.org/search/sid/119-19?r=1 Joel On Dec 23, 2010, at 1:55 PM, J. L. Cabral wrote:
For example, I have several alerts from: SID 119-19 This means that is SID: 119 Rev: 19 or what ??? Because I can't see any alert in /rules with this syntax..... Thanks a lot On Thu, Dec 23, 2010 at 12:59 PM, Gregory Zill <gregory () r3g net> wrote:I haven't used BASE too recently in favor of SnortReport. I currently have a count of 1,348,605 events in the mysql database and report appears rather quickly. I found an index create script that provided much quicker response. I will leave the performance notes and the index script for you to view. -----------------------8<--------------------------------------------------------- See http://www.mysql.com/doc/S/e/Server_parameters.html for general server tuning tips -- These 4 make an enormous difference as they improve several of the joins used in *every* query in alerts.php CREATE INDEX ip_cid ON iphdr (cid); CREATE INDEX udp_cid ON udphdr (cid); CREATE INDEX tcp_cid ON tcphdr (cid); CREATE INDEX icmp_cid ON icmphdr (cid); -- More improvements by using cid indexes: CREATE INDEX event_cid ON event (cid); CREATE INDEX data_cid ON data (cid); -- This one makes the two alert using queries using an index instead of a scan. CREATE INDEX time_sig ON event (timestamp, signature, cid); -----------------------8<---------------------------------------------------------Message: 6 Date: Thu, 23 Dec 2010 12:04:39 -0300 From: "J. L. Cabral" <jelocabral () gmail com> Subject: [Snort-users] Snort populates Mysql a lot Dear, Snort 2.9 is working fine, but I have a problem: in 3 days I get more than 1.000.000 alerts visualizated in BASE, and so the access to this web interafce is very slowly. I had to delete all the data from the mysql tables and start Snort again. Can you give me any advice to get the alerts without affect the performance of the system ??? And how many alerts approximately can MySQL stores without crash ??? Thanks a lot JeLo-- Happiness is when what you think, what you say, and what you do are in harmony. ~Mahatma Gandhi Gregory W Zill, MBA, CISSP ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort populates Mysql a lot J. L. Cabral (Dec 23)
- Re: Snort populates Mysql a lot Joel Esler (Dec 23)
- Re: Snort populates Mysql a lot Dustin Webber (Dec 23)
- Re: Snort populates Mysql a lot evilghost () packetmail net (Dec 23)
- <Possible follow-ups>
- Re: Snort populates Mysql a lot Gregory Zill (Dec 23)
- Re: Snort populates Mysql a lot J. L. Cabral (Dec 23)
- Re: Snort populates Mysql a lot Matt Watchinski (Dec 23)
- Re: Snort populates Mysql a lot Joel Esler (Dec 23)
- Re: Snort populates Mysql a lot J. L. Cabral (Dec 30)
- Re: Snort populates Mysql a lot J. L. Cabral (Dec 23)
- Re: Snort populates Mysql a lot Joel Esler (Dec 23)