Snort mailing list archives

RE: Finding alerts taking up the most database space

From: "M Shirk" <shirkdog_linux () hotmail com>
Date: Mon, 13 Sep 2004 12:32:29 -0400

When using an IDS in general, if you have 6G of data for a very shorttime-frame, you may need to either tune your sensor by filtering, or byarchiving that data.

If this is for a business/project, you need to have a definition of thetime-frame to keep live data available for analysis. One of the clients Iworked with created 2 GB of data every 3 months. I knew what the problemwas, but they did not let us filter :-). They wanted this info for trending(don't ask).

I think others on the list would chime in that this is not a snort problembecause snort is working.

Do you have snort and the mysql DB and your webserver all on the sameserver? I have run this configuration just for testing and it kills myrather old system with 160MB of RAM.


Shirkdog.
http://www.shirkdog.us

From: "McCash, John" <John.McCash () andrew com>
To: <snort-users () lists sourceforge net>
Subject: [Snort-users] Finding alerts taking up the most database space
Date: Fri, 10 Sep 2004 11:20:47 -0500

Hi,

               I currently am running snort and acid with mysql, and my
database size is getting up around 6G. The data table, data.MYD alone is
about 3.3G. As you may imagine, my db performance is lousy. Does anyone
have an easy way of determining which alerts are taking up the greatest
amount of db space, so that I can selectively prune those entries?

                              Thanks in advance

                                             John McCash

------------------------------------------------------------------------------------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.
------------------------------------------------------------------------------------------------
[mf2]


_________________________________________________________________

Express yourself instantly with MSN Messenger! Download today - it's FREE!hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/




-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on

who ports your project to Linux PPC the best. Sponsored by IBM.Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Finding alerts taking up the most database space McCash, John (Sep 10)
- Re: Finding alerts taking up the most database space sekure (Sep 10)
- <Possible follow-ups>
- RE: Finding alerts taking up the most database space McCash, John (Sep 10)
- RE: Finding alerts taking up the most database space M Shirk (Sep 13)
- RE: Finding alerts taking up the most database space McCash, John (Sep 22)