[Snort-users] DataBase Load Problem.

A.L.Lambert alambert at ...387...
Thu Nov 30 11:31:47 EST 2000


	The route I would take, would be to edit out the rules that are
generating that much "line noise".  I find that any rules that trigger a
lot of false positives are worse than useless, because after a bit, I'll
totally ignore that rule, regardless of the possibility of it being a real
alert, just because I see so many of them.  

	My usual track when setting up a snort box, is to crank it up with
the full snort.org, whitehats.com, and my own personal ruleset's, watch
for about 2 hours and see what's going to become annoying, and comment
those rules out of the rules files.  Each network is a bit different, so
you really need to taylor the ruleset's around the network in question.  
OTOH - if you're getting 1000 non-false positives a minute, then you've
got bigger problems. :)

	Just my $0.02.


	--A.L.Lambert

> greetings.  I am having what I hope is not too unique of a problem.  With
> the base set of rules I am seeing about 1000 alerts a minute.  I am
> writing these to a mysql database on a Sun E3500.  I have apache, PHP, and
> ACID, running on the same box, and nothing else (ya, way overkill, but it
> was not in production yet).  
> 
> The problem is that if I let the database fill for more than a couple of
> hours (heck, a couple of minutes) the queries start to become *painfully*
> slow.  After a megalert it is almost impossible to query the database thru
> ACID.  I was thinking that an oracle database might be faster, but I don't
> remember seeing a logging module for oracle, or and acid config option for
> it either.
> 
> Any ideas on how to speed this up so I can run it for a week or so at this
> alert rate, and still get the data out when I click??




More information about the Snort-users mailing list