[Snort-users] DataBase Load Problem.
austad at ...432...
Thu Nov 30 11:58:51 EST 2000
What are most of your alerts for? I had to disable some rules to prevent
this on my network, specifically the large ICMP rule, and there were a
couple of other rules also. We have some thing that run over our network
here that set off alerts on these rules so I have to disable them until I
can find a better way of matching them.
Once your database get's above 500,000 alerts, it will be deathly slow for
reporting. Find out what the highest percentage of the alerts are and
figure out what's generating them.
> -----Original Message-----
> From: F.M. Taylor [mailto:root at ...28...]
> Sent: Thursday, November 30, 2000 8:51 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] DataBase Load Problem.
> greetings. I am having what I hope is not too unique of a
> problem. With
> the base set of rules I am seeing about 1000 alerts a minute. I am
> writing these to a mysql database on a Sun E3500. I have
> apache, PHP, and
> ACID, running on the same box, and nothing else (ya, way
> overkill, but it
> was not in production yet).
> The problem is that if I let the database fill for more than
> a couple of
> hours (heck, a couple of minutes) the queries start to become
> slow. After a megalert it is almost impossible to query the
> database thru
> ACID. I was thinking that an oracle database might be
> faster, but I don't
> remember seeing a logging module for oracle, or and acid
> config option for
> it either.
> Any ideas on how to speed this up so I can run it for a week
> or so at this
> alert rate, and still get the data out when I click??
> Mike Taylor
> Coordinator of Systems Administration and Network Security
> Indiana State University. Rankin Hall Rm 039
> 210 N 7th St. Terre Haute, IN.
> Voice: 812-237-8843 47809
> "You have zero privacy anyway. Get over it."
> --Scott McNealy, Sun MicroSystems.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
More information about the Snort-users