Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Problems archiving lots of alerts using ACID

From: "Crow, Owen" <Owen_Crow () bmc com>
Date: Mon, 15 Jul 2002 18:06:26 -0500
My Setup:
Sun E250, 2x400MHz, 1GB RAM
OS is on 2 DiskSuite mirrored 18GB disks.
Apps and database are on 4 Veritas RAID-5 18GB disks. (yech, I know)
Solaris 2.8
Apache 1.3.26
mysql-3.23.49-sun-solaris2.8-sparc package provided by mysql.com
PHP 4.1.2 (mod_php)

I'm trying to archive some of my largest batches of alerts.  Here is one
of the top alerts (cut and pasted from ACID):
WEB-IIS multiple decode attempt        web-application-attack       
29416 (6%)       

I click the check box next to the alert, select "Archive alert(s)
(move)" from the drop down and click the "Selected" button.

After about 10-15 minutes, the web browser returns an error and when I
go back to the top 5 alerts page, there are only about 300 alerts
archived.  Successive attempts show the same pattern:
WEB-IIS multiple decode attempt        web-application-attack       
29137 (5%)      (279 archived)
WEB-IIS multiple decode attempt        web-application-attack       
28815 (5%)      (322 archived)
WEB-IIS multiple decode attempt        web-application-attack       
28508 (5%)      (307 archived)
WEB-IIS multiple decode attempt        web-application-attack       
28199 (5%)      (309 archived)
WEB-IIS multiple decode attempt        web-application-attack       
27916 (5%)      (283 archived)
WEB-IIS multiple decode attempt        web-application-attack       
27481 (5%)      (435 archived)

I have successfully archived up to 20,000 alerts at one time in the
past.  I've checked the Apache logs for any errors and the mysql logs
don't appear to be recording (i.e. I can't find a mysqld.log anywhere). 
I'm not a very savvy MySQL admin, and have not been able to find any
meaningful logs.  The ACID-FAQ B-10 alludes to making some extra
indexes, but doesn't include instructions for creating them.  I've
optimized both the primary and archive databases using the procedure in
B-10 (the last archive attempt above shot up about 50%).

Here's some summary stats to give an idea of how big my database is:

Sensors: 25 [This is actually 3 sensors with a succession of BPF filters
             applied.]
Unique Alerts: 715    (   23 categories   )
Total Number of Alerts: 541495
Source IP addresses: 13800
Dest. IP addresses: 45986
Unique IP links 69740

I've toyed with max_execution_time in php.ini, going from 30 to 300 to
900, with no effect.

Any suggestions or good chapters in manuals to read about this?

Thanks,
Owen Crow
Systems Programmer (Unix)
BMC Software, Inc.


-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: