Snort mailing list archives

Re: Snort populates Mysql a lot

From: Gregory Zill <gregory () r3g net>
Date: Thu, 23 Dec 2010 09:59:59 -0600

I haven't used BASE too recently in favor of SnortReport. I currently have a
count of 1,348,605 events in the mysql database and report appears rather
quickly. I found an index create script that provided much quicker response.
I will leave the performance notes and the index script for you to view.

-----------------------8<---------------------------------------------------------

See http://www.mysql.com/doc/S/e/Server_parameters.html for general server
tuning tips

-- These 4 make an enormous difference as they improve several of the joins
used in *every* query in alerts.php
CREATE INDEX ip_cid ON iphdr (cid);
CREATE INDEX udp_cid ON udphdr (cid);
CREATE INDEX tcp_cid ON tcphdr (cid);
CREATE INDEX icmp_cid ON icmphdr (cid);

-- More improvements by using cid indexes:
CREATE INDEX event_cid ON event (cid);
CREATE INDEX data_cid ON data (cid);

-- This one makes the two alert using queries using an index instead of a
scan.
CREATE INDEX time_sig ON event (timestamp, signature, cid);

-----------------------8<---------------------------------------------------------

Message: 6
Date: Thu, 23 Dec 2010 12:04:39 -0300
From: "J. L. Cabral" <jelocabral () gmail com>
Subject: [Snort-users] Snort populates Mysql a lot

Dear, Snort 2.9 is working fine, but I have a problem: in 3 days I get more
than 1.000.000 alerts visualizated in BASE, and so the access to this web
interafce is very slowly.

I had to delete all the data from the mysql tables and start Snort again.

Can you give me any advice to get the alerts without affect the performance
of the system ???

And how many alerts approximately can MySQL stores without crash ???

Thanks a lot

JeLo


-- 
Happiness is when what you think, what you say, and what you do are in
harmony.



                                       ~Mahatma Gandhi

Gregory W Zill, MBA, CISSP

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort populates Mysql a lot J. L. Cabral (Dec 23)
- Re: Snort populates Mysql a lot Joel Esler (Dec 23)
  - Re: Snort populates Mysql a lot Dustin Webber (Dec 23)
  - Re: Snort populates Mysql a lot evilghost () packetmail net (Dec 23)
- <Possible follow-ups>
- Re: Snort populates Mysql a lot Gregory Zill (Dec 23)
  - Re: Snort populates Mysql a lot J. L. Cabral (Dec 23)
    - Re: Snort populates Mysql a lot Matt Watchinski (Dec 23)
    - Re: Snort populates Mysql a lot Joel Esler (Dec 23)
    - Re: Snort populates Mysql a lot J. L. Cabral (Dec 30)