Re: Snort Overloading BASE?

[Joel Esler <jesler () sourcefire com>]

It appears that you have it on two different lines (the bpf statement).

Can you put it on one continuous line and try it again?

J

On Wed, Jan 20, 2010 at 3:53 PM, James Chase <chase1124 () gmail com> wrote:

> Thanks, Alex.
>
> I'm using MySQL, do you know if there is a script that will work for that
> as well?
>
> I've tried using some filtering, but whenever use this .bpf file, snort
> doesn't log ANYTHING. I'm not sure I see what is wrong with my tcpdump
> syntax here:
>
> [jchase@monitor ~]$ cat /etc/snort/ignore.bpf.bak
> not src host xxx.xxx.xxx.163 and port 25
> and not host 192.168.1.30 and port 161
>
> snort    14221     1  0  2009 ?        00:00:00 /usr/sbin/snort -D -i eth0
> -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort -F
> /etc/snort/ignore.bpf
>
> On Wed, Jan 20, 2010 at 3:44 PM, Alexander Novokhatsky <
> alex.ontario () gmail com> wrote:
>
> >  Hello James,
> >
> > I've set up Referential Integrity via foreign keys in database(MS SQL) and
> > then created a job to remove outdated events based on dbo.event.timestamp
> > column.
> > SQL script, required for creating Referential Integrity is included in
> > BASE sources. Just look them through.
> >
> > All other tables are updated automaticaly.
> >
> > I try to keep alerts number in BASE around 100.000 It becomes unusable
> > when the number exceeds 500.000 alerts.
> >
> > Also consider using threshold and suppress rules in snort. It can help to
> > reduce alerts count.
> >
> >
> >
> > Wednesday, January 20, 2010, 3:24:31 PM, you wrote:
> >
> >
> >  I'm running snort-2.8.5-1 on CentOS 5.4 and collecting snort alerts to a
> > database with barnyard2. The problem is snort seems to be generating so many
> > alerts that whenever I load the BASE page it takes 5 or 10 minutes to
> > display! I believe it is just processing the new alerts but it really makes
> > the system unusable.
> >
> > Is there anything that can be done to clear out the DB of old alerts
> > automatically or anyone else that has experienced this problem?
> >
> > --
> > "Beware of all enterprises that require new clothes."
> >  --  Henry David Thoreau
> >
> >
> >
> > *--
> > Best regards,
> >  Alexander                            mailto:alex.ontario () gmail com<alex.ontario () gmail com>
> > *
>
>
>
> --
> "Beware of all enterprises that require new clothes."
>  --  Henry David Thoreau
>
>
> ------------------------------------------------------------------------------
> Throughout its 18-year history, RSA Conference consistently attracts the
> world's best and brightest in the field, creating opportunities for
> Conference
> attendees to learn about information security's most important issues
> through
> interactions with peers, luminaries and emerging and established companies.
> http://p.sf.net/sfu/rsaconf-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Joel Esler

------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users