Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Optimizing Snort, MySQL & BASE installation

From: Gary Richardson <gary.richardson () gmail com>
Date: Mon, 4 Jul 2005 09:27:48 -0700
I've noticed the same thing. I've been meaning to look at some of the
queries and possibly add some indexes.

I've also noticed that BASE does a lot of things "one at a time." I
deleted around 6000 records out of my database and it took around 20
minutes to do using the web interface..

On 7/4/05, Affan Basalamah <affanzbasalamah () gmail com> wrote:

Hi all,

Currently we deploy Snort, MySQL and BASE on one box (FreeBSD/amd64
5.4-RELEASE, 1 GB RAM, 40 GB Harddrive, 2 bge0 gigabit eth) to listen
on one SPAN port on my Catalyst 6500. SPAN port is mirroring 4 100Mbps
FastEth port. Installation is working fine, thanks to FreeBSD Ports
Collection.

The problem about it is Alert management. After running it for one
day, the BASE console start working slowly, took very long time to
display the main console, and unable to run queries on Most Recent 15
Unique Alert and Most Frequent 5 Unique Alert. Mostly we have 1
million Alert for 1 day operation. I have already minimize my
signature to detect only most frequent alert, such as worm/virus. The
false positives have been commented out of my snort.conf and signature
files.

Snort version is 2.3.3, MySQL is 4.1 and BASE is 1.3.3, Schema Version
106. The configuration is mainly uses default parameter.

I want to know how is the solution about my problem. Do I have to
optimize my MySQL settings ? Do I have to use Barnyard ?  Do I have to
delete or archive my Alert database regularly ? Is information on ACID
websites about optimization is still relevant to BASE ?

This is my first experience with Snort/MySQL/BASE, and I appreciate
all the help I can get.

-affan


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&opclick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listsnort-users




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: