Re: Snort Overloading BASE?

[James Chase <chase1124 () gmail com>]

Thanks, Alex.

I'm using MySQL, do you know if there is a script that will work for that as
well?

I've tried using some filtering, but whenever use this .bpf file, snort
doesn't log ANYTHING. I'm not sure I see what is wrong with my tcpdump
syntax here:

[jchase@monitor ~]$ cat /etc/snort/ignore.bpf.bak
not src host xxx.xxx.xxx.163 and port 25
and not host 192.168.1.30 and port 161

snort    14221     1  0  2009 ?        00:00:00 /usr/sbin/snort -D -i eth0
-u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort -F
/etc/snort/ignore.bpf

On Wed, Jan 20, 2010 at 3:44 PM, Alexander Novokhatsky <
alex.ontario () gmail com> wrote:

>  Hello James,
>
> I've set up Referential Integrity via foreign keys in database(MS SQL) and
> then created a job to remove outdated events based on dbo.event.timestamp
> column.
> SQL script, required for creating Referential Integrity is included in BASE
> sources. Just look them through.
>
> All other tables are updated automaticaly.
>
> I try to keep alerts number in BASE around 100.000 It becomes unusable when
> the number exceeds 500.000 alerts.
>
> Also consider using threshold and suppress rules in snort. It can help to
> reduce alerts count.
>
>
>
> Wednesday, January 20, 2010, 3:24:31 PM, you wrote:
>
>
>  I'm running snort-2.8.5-1 on CentOS 5.4 and collecting snort alerts to a
> database with barnyard2. The problem is snort seems to be generating so many
> alerts that whenever I load the BASE page it takes 5 or 10 minutes to
> display! I believe it is just processing the new alerts but it really makes
> the system unusable.
>
> Is there anything that can be done to clear out the DB of old alerts
> automatically or anyone else that has experienced this problem?
>
> --
> "Beware of all enterprises that require new clothes."
>  --  Henry David Thoreau
>
>
>
> *--
> Best regards,
>  Alexander                            mailto:alex.ontario () gmail com<alex.ontario () gmail com>
> *



-- 
"Beware of all enterprises that require new clothes."
 --  Henry David Thoreau

------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users