Snort mailing list archives
Re: Snort populates Mysql a lot
From: Matt Watchinski <mwatchinski () sourcefire com>
Date: Thu, 23 Dec 2010 14:04:37 -0500
Those are preprocessor alerts. 119 is the GID and 19 is the sid alert ( msg: "HI_CLIENT_LONG_HEADER"; sid: 19; gid: 119; rev: 1; metadata: rule- type preproc, service http ; classtype:bad-unknown; ) If your using the vrt provided snort.conf in the rule packages for 2903 this means the http header was longer than 750 bytes. Or whatever your max_header_length parameter for http_inspect is set to. Cheers, -matt On Thu, Dec 23, 2010 at 1:55 PM, J. L. Cabral <jelocabral () gmail com> wrote:
For example, I have several alerts from: SID 119-19 This means that is SID: 119 Rev: 19 or what ??? Because I can't see any alert in /rules with this syntax..... Thanks a lot On Thu, Dec 23, 2010 at 12:59 PM, Gregory Zill <gregory () r3g net> wrote:I haven't used BASE too recently in favor of SnortReport. I currently have a count of 1,348,605 events in the mysql database and report appears rather quickly. I found an index create script that provided much quicker response. I will leave the performance notes and the index script for you to view. -----------------------8<--------------------------------------------------------- See http://www.mysql.com/doc/S/e/Server_parameters.html for general server tuning tips -- These 4 make an enormous difference as they improve several of the joins used in *every* query in alerts.php CREATE INDEX ip_cid ON iphdr (cid); CREATE INDEX udp_cid ON udphdr (cid); CREATE INDEX tcp_cid ON tcphdr (cid); CREATE INDEX icmp_cid ON icmphdr (cid); -- More improvements by using cid indexes: CREATE INDEX event_cid ON event (cid); CREATE INDEX data_cid ON data (cid); -- This one makes the two alert using queries using an index instead of a scan. CREATE INDEX time_sig ON event (timestamp, signature, cid); -----------------------8<---------------------------------------------------------Message: 6 Date: Thu, 23 Dec 2010 12:04:39 -0300 From: "J. L. Cabral" <jelocabral () gmail com> Subject: [Snort-users] Snort populates Mysql a lot Dear, Snort 2.9 is working fine, but I have a problem: in 3 days I get more than 1.000.000 alerts visualizated in BASE, and so the access to this web interafce is very slowly. I had to delete all the data from the mysql tables and start Snort again. Can you give me any advice to get the alerts without affect the performance of the system ??? And how many alerts approximately can MySQL stores without crash ??? Thanks a lot JeLo-- Happiness is when what you think, what you say, and what you do are in harmony. ~Mahatma Gandhi Gregory W Zill, MBA, CISSP ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort populates Mysql a lot J. L. Cabral (Dec 23)
- Re: Snort populates Mysql a lot Joel Esler (Dec 23)
- Re: Snort populates Mysql a lot Dustin Webber (Dec 23)
- Re: Snort populates Mysql a lot evilghost () packetmail net (Dec 23)
- <Possible follow-ups>
- Re: Snort populates Mysql a lot Gregory Zill (Dec 23)
- Re: Snort populates Mysql a lot J. L. Cabral (Dec 23)
- Re: Snort populates Mysql a lot Matt Watchinski (Dec 23)
- Re: Snort populates Mysql a lot Joel Esler (Dec 23)
- Re: Snort populates Mysql a lot J. L. Cabral (Dec 30)
- Re: Snort populates Mysql a lot J. L. Cabral (Dec 23)
- Re: Snort populates Mysql a lot Joel Esler (Dec 23)