RE: Over 1 Million records in ACID.....

["Ghercoias, Catalin" <CGhercoias () TWEC COM>]

David,

Thank you so much, although I did not had any /etc/my.cnf file in my system
(don't know why....) I added one with the suggested content by you. Now the
ACID/MySQL process has improved significantly. 
The changes/additions suggested plus increased values of
'max_script_runtime=1800' in acid_php.conf ; 'max_execution_time=1800'and
memory_limit=128M made a big difference in the performance of the system.

Thank you again, 
___________________________
Catalin Ghercoias 
Web/Security System Administrator 
Office Phone: +(518) 452-1242 Ext.7435 
Fax: (518) 452-4768 
Mail: Catalin Ghercoias 
website: http://www.fye.com 


-----Original Message-----
From: David E. Gianndrea [mailto:daveg () comsquared com] 
Sent: Thursday, March 27, 2003 3:07 PM
To: Ghercoias, Catalin
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] Over 1 Million records in ACID.....


I had the same thing happen to me, but with different rule. I added this to
my /etc/my.cnf file

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
skip-innodb
set-variable = table_cache=256
set-variable = key_buffer=64M
set-variable = sort_buffer=4M


Be sure to read the docs for Mysql BEFORE using these. Im not an DBA but it
helped out some with performance of Mysql.

-- 
David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.

Web:     www.comsquared.com
Email:   dgianndrea () comsquared com



Ghercoias, Catalin wrote:
> Hi,
>
> I got some over 1(one) million records in ACID under one of the
> classifications.
>
>  < Classification >    < Total >   < Sensor# >   < Signatures >   <
> Src.Addr. >   < Dest.Addr. >
> non-standard-protocol  1176682(73%)     1             1
> 5331             5174     
>
> This is due to the fact that I turned on the rule "sid: 1620; rev: 3;
> msg: "BAD TRAFFIC Non-Standard IP protocol"; ip_proto: !89; classtype: 
> non-standard-protocol;)". Big mistake!!!!!
>
> Now that I've learned from this mistake, how can I get rid of these
> records? Trying to delete them from ACID console, won't work. I tried 
> also Mysql ControlCenter (for windows is true) but is still not 
> working and sometimes crashes. Although I have increased the values of 
> 'max_script_runtime=1800' in acid_php.conf ; 'max_execution_time=1800'
> and memory_limit=128M (it was 8M) in php.ini.
>
> I must say that the mysql and ACID are running on a dual-processor
> Pentium III@800 MHz with two hard drives of 32 gigabytes ULTRA3-SCSI 
> mirrored (RAID 0) and 1 gigabyte of RAM. On this box is running RedHat 
> Linux 7.3, Mysql 4.0, ACID, Apache 1.3.27. The snort agents are 
> running on separate machines. With all these trying to access/delete 
> in ACID it takes minutes until something is loading in browser.
>
> Thank you very much in advance,
>
> Catalin Ghercoias.
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by:
> The Definitive IT and Networking Event. Be There!
> NetWorld+Interop Las Vegas 2003 -- Register today!
> http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.

Web:     www.comsquared.com
Email:   dgianndrea () comsquared com



-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users