[Snort-users] DataBase Load Problem.
alambert at ...387...
Thu Nov 30 11:31:47 EST 2000
The route I would take, would be to edit out the rules that are
generating that much "line noise". I find that any rules that trigger a
lot of false positives are worse than useless, because after a bit, I'll
totally ignore that rule, regardless of the possibility of it being a real
alert, just because I see so many of them.
My usual track when setting up a snort box, is to crank it up with
the full snort.org, whitehats.com, and my own personal ruleset's, watch
for about 2 hours and see what's going to become annoying, and comment
those rules out of the rules files. Each network is a bit different, so
you really need to taylor the ruleset's around the network in question.
OTOH - if you're getting 1000 non-false positives a minute, then you've
got bigger problems. :)
Just my $0.02.
> greetings. I am having what I hope is not too unique of a problem. With
> the base set of rules I am seeing about 1000 alerts a minute. I am
> writing these to a mysql database on a Sun E3500. I have apache, PHP, and
> ACID, running on the same box, and nothing else (ya, way overkill, but it
> was not in production yet).
> The problem is that if I let the database fill for more than a couple of
> hours (heck, a couple of minutes) the queries start to become *painfully*
> slow. After a megalert it is almost impossible to query the database thru
> ACID. I was thinking that an oracle database might be faster, but I don't
> remember seeing a logging module for oracle, or and acid config option for
> it either.
> Any ideas on how to speed this up so I can run it for a week or so at this
> alert rate, and still get the data out when I click??
More information about the Snort-users