Optimizing Snort, MySQL & BASE installation

[Affan Basalamah <affanzbasalamah () gmail com>]

Hi all,

Currently we deploy Snort, MySQL and BASE on one box (FreeBSD/amd64
5.4-RELEASE, 1 GB RAM, 40 GB Harddrive, 2 bge0 gigabit eth) to listen
on one SPAN port on my Catalyst 6500. SPAN port is mirroring 4 100Mbps
FastEth port. Installation is working fine, thanks to FreeBSD Ports
Collection.

The problem about it is Alert management. After running it for one
day, the BASE console start working slowly, took very long time to
display the main console, and unable to run queries on Most Recent 15
Unique Alert and Most Frequent 5 Unique Alert. Mostly we have 1
million Alert for 1 day operation. I have already minimize my
signature to detect only most frequent alert, such as worm/virus. The
false positives have been commented out of my snort.conf and signature
files.

Snort version is 2.3.3, MySQL is 4.1 and BASE is 1.3.3, Schema Version
106. The configuration is mainly uses default parameter.

I want to know how is the solution about my problem. Do I have to
optimize my MySQL settings ? Do I have to use Barnyard ?  Do I have to
delete or archive my Alert database regularly ? Is information on ACID
websites about optimization is still relevant to BASE ?

This is my first experience with Snort/MySQL/BASE, and I appreciate
all the help I can get.

-affan


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users