Snort mailing list archives

Re: Where's Waldo?

From: "Michael Steele" <michaels () winsnort com>
Date: Thu, 11 Oct 2012 17:06:19 -0400

Don't know where you got the idea of a wait. I see events instantly as soon
as I refresh BASE. There is no lag time between snort to log file, Barnyard2
grabbing the event from the log, Barnyard2 shuttling the event to the
database, (and here is where there should only be lag) the user refreshing
BASE (or just allow BASE to refresh itself).  

Michael...

-----Original Message-----
From: AllowOverride [mailto:allowoverride () gmail com] 
Sent: Thursday, October 11, 2012 3:30 PM
To: wkitty42 () windstream net
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Where's Waldo?

it appears to be logging data again to base, so you are saying, wait 24
hours for new data to be present?
ic, your point about 1 hour, as most of the configs state 1 hour, however,
when i first pinged server and ICMP hits were displayed on base, it was
instantaneous. so you see where i get my idea, that after clearing a
completely blank table, displayed data on base, and by clearing tables, it
wont display data quickly EVEN after i restart services, or clear or
snort.logs,alerts, or restart snort/barnyard2 processes. see my point?

i see yours. thanks.

just a test, i will clear tables, and close browser, come back in 1 hour
increments, and see if that is the issue, it takes an hour to input new data
after base clear table buttons have cleared. im assume there is a switch in
the configs to make it quicker. 

any idea of what that line or file name is, in /var/www/base-1.4.5/* ?
what keyword to grep for?

thanks!!



On Wed, 2012-10-10 at 20:56 -0400, waldo kitty wrote:

On 10/10/2012 17:55, AllowOverride wrote:

yes exactly, i believe that also to be a possible issue, as it will 
only restart to send to mysql after in restart each piece of this pig

puzzle.

although, sometimes, it will resend if i restart apache2, or snort, 
or
barnyard2 in random order...


maybe there's an automatic restart for the failing process and your 
attempts to force the issue and make it restart are confusing things? 
how long have you left it alone once you clicked on the [clear tables]

button? 30 minutes? an hour?


i ask because one of the systems i work with has a similar feature... 
in some cases, it can take a day for the database stuffings to catch 
up and start providing some data...

REMEMBER: a feature is an undocumented bug. the first fix is generally 
to document it as a feature ;)

----------------------------------------------------------------------
-------- Don't let slow site performance ruin your business. Deploy 
New Relic APM Deploy New Relic app performance management and know 
exactly what is happening inside your Ruby, Python, PHP, Java, and 
.NET app Try New Relic at no cost today and get our sweet Data Nerd 
shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort

news!


----------------------------------------------------------------------------
--
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly what is
happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at
no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Where's Waldo?, (continued)
- - - Re: Where's Waldo? AllowOverride (Oct 11)
    - Re: Where's Waldo? AllowOverride (Oct 11)
    - Re: Where's Waldo? AllowOverride (Oct 11)
    - Re: Where's Waldo? AllowOverride (Oct 11)
    - Re: Where's Waldo? Michael Steele (Oct 11)
    - Re: Where's Waldo? Castle, Shane (Oct 11)
    - Re: Where's Waldo? AllowOverride (Oct 11)
    - Re: Where's Waldo? AllowOverride (Oct 11)
    - Re: Where's Waldo? Paul Schmehl (Oct 11)
    - Re: Where's Waldo? AllowOverride (Oct 12)
    - Re: Where's Waldo? Michael Steele (Oct 11)
    - Re: Where's Waldo? AllowOverride (Oct 09)
    - Re: Where's Waldo? Paul Schmehl (Oct 09)
    - Re: Where's Waldo? AllowOverride (Oct 10)
    - Re: Where's Waldo? Jason (Oct 10)
    - Re: Where's Waldo? AllowOverride (Oct 10)
    - Re: Where's Waldo? Joel Esler (Oct 10)
    - Re: Where's Waldo? AllowOverride (Oct 10)
    - Re: Where's Waldo? Joel Esler (Oct 10)
    - Re: Where's Waldo? AllowOverride (Oct 10)
    - Re: Where's Waldo? AllowOverride (Oct 10)

(Thread continues...)