Snort mailing list archives
Re: Snort Overloading BASE?
From: James Chase <chase1124 () gmail com>
Date: Wed, 20 Jan 2010 15:53:00 -0500
Thanks, Alex. I'm using MySQL, do you know if there is a script that will work for that as well? I've tried using some filtering, but whenever use this .bpf file, snort doesn't log ANYTHING. I'm not sure I see what is wrong with my tcpdump syntax here: [jchase@monitor ~]$ cat /etc/snort/ignore.bpf.bak not src host xxx.xxx.xxx.163 and port 25 and not host 192.168.1.30 and port 161 snort 14221 1 0 2009 ? 00:00:00 /usr/sbin/snort -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort -F /etc/snort/ignore.bpf On Wed, Jan 20, 2010 at 3:44 PM, Alexander Novokhatsky < alex.ontario () gmail com> wrote:
Hello James, I've set up Referential Integrity via foreign keys in database(MS SQL) and then created a job to remove outdated events based on dbo.event.timestamp column. SQL script, required for creating Referential Integrity is included in BASE sources. Just look them through. All other tables are updated automaticaly. I try to keep alerts number in BASE around 100.000 It becomes unusable when the number exceeds 500.000 alerts. Also consider using threshold and suppress rules in snort. It can help to reduce alerts count. Wednesday, January 20, 2010, 3:24:31 PM, you wrote: I'm running snort-2.8.5-1 on CentOS 5.4 and collecting snort alerts to a database with barnyard2. The problem is snort seems to be generating so many alerts that whenever I load the BASE page it takes 5 or 10 minutes to display! I believe it is just processing the new alerts but it really makes the system unusable. Is there anything that can be done to clear out the DB of old alerts automatically or anyone else that has experienced this problem? -- "Beware of all enterprises that require new clothes." -- Henry David Thoreau *-- Best regards, Alexander mailto:alex.ontario () gmail com<alex.ontario () gmail com> *
-- "Beware of all enterprises that require new clothes." -- Henry David Thoreau
------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Overloading BASE? James Chase (Jan 20)
- Message not available
- Re: Snort Overloading BASE? James Chase (Jan 20)
- Re: Snort Overloading BASE? Joel Esler (Jan 20)
- Re: Snort Overloading BASE? James Chase (Jan 20)
- Message not available
- Re: Snort Overloading BASE? Chan, Wilson (Feb 03)