Home page logo
/

snort logo Snort mailing list archives

Re: Snort populates Mysql a lot
From: "evilghost () packetmail net" <evilghost () packetmail net>
Date: Thu, 23 Dec 2010 09:54:13 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On Dec 23, 2010, at 10:04 AM, J. L. Cabral wrote:

Dear, Snort 2.9 is working fine, but I have a problem: in 3 days I get more than 1.000.000 alerts visualizated in 
BASE, and so the access to this web interafce is very slowly.

I had to delete all the data from the mysql tables and start Snort again.

Can you give me any advice to get the alerts without affect the performance of the system ???

And how many alerts approximately can MySQL stores without crash ???

There are some performance and memory adjustments you can make to MySQL to
enhance the performance of MySQLd.  Such examples would include enabling caches,
indices's, and disabling unused storage engines.

I have several tables which commonly see about 1.000.000 rows of data or more daily.

If you're not familiar with performance adjustments to MySQL may I suggest a
Perl script, available at http://mysqltuner.pl/mysqltuner.pl as a very good
starting point to asses some adjustments you can make to increase performance.

The root issue could be three key items:

1) MySQL box isn't strong enough to handle the query load.
2) MySQL needs some performance tuning and adjustments.
3) Superfluous alerts need to be disabled or removed (as Joel indicated)

I hope this was helpful.

- -evilghost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJNE3ClAAoJENgimYXu6xOHW6IP/0kObFYiPN5OIDKcRoDeD7vD
mPLBpfh4VR+HwEm2GkihbyVGnUygWCxCTtsk+sfrpSe7/9wZqI3au9L/feL6+at/
AWFNm5hWT5R9cZOwhNXCMruchlmSDXxc2R5wF+FNgIIP31anZPtPIT61PBtKEGCh
lNuFbcgDtH3jaL8/FlaCIIAK5X/c7KgikhGs1cSa/3dOIZujhD6fVAKCrgt7zgjY
5BhMBFE0WDYOXSqglEtvYRmW52x3xj4Dwl7Sg8gXrPepLniYKxdQZugMPXv+jKHE
PcEMhERRcs1NvwDHr9Vy5xGURXwpTT2uihKaJFN/7pxkggtXlYnZKajICZPGZj38
2zxk9ISUAzu0URUIihI5k4sTSGsWYWlco/RM8mqYM5yR7Qi79FvFtZiIJ/q8IzXR
jl77mFdGa+p8XX5xps1WDZsH8cE+x0o4uFLIBWReqzT7UeVuOU8ZbjzB7M/CTiUC
44baFP0y2335BG25jBLE4ebNwJ/+IxtMClGyxu3L9/p3MNAEw6kRRj1ZSiB5GBVb
E/QybfDC3eTJk3mXmBAkA1a27sD5JoxOgXX83oTBiGDl+VrxmOobeiL6M4oa1emx
kDjech6fhz12tt5xbuE5IM30eSs8IeBz7/UtNsnJf2uUM4oNKotIipgxr01ArETF
NloH82rx8sHT0iTLLWsj
=aNk6
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault