[Snort-users] Problems archiving lots of alerts using ACID

Crow, Owen Owen_Crow at ...2639...
Mon Jul 15 16:07:03 EDT 2002


My Setup:
Sun E250, 2x400MHz, 1GB RAM
OS is on 2 DiskSuite mirrored 18GB disks.
Apps and database are on 4 Veritas RAID-5 18GB disks. (yech, I know)
Solaris 2.8
Apache 1.3.26
mysql-3.23.49-sun-solaris2.8-sparc package provided by mysql.com
PHP 4.1.2 (mod_php)

I'm trying to archive some of my largest batches of alerts.  Here is one
of the top alerts (cut and pasted from ACID):
WEB-IIS multiple decode attempt        web-application-attack       
29416 (6%)       

I click the check box next to the alert, select "Archive alert(s)
(move)" from the drop down and click the "Selected" button.

After about 10-15 minutes, the web browser returns an error and when I
go back to the top 5 alerts page, there are only about 300 alerts
archived.  Successive attempts show the same pattern:
WEB-IIS multiple decode attempt        web-application-attack       
29137 (5%)	(279 archived)
WEB-IIS multiple decode attempt        web-application-attack       
28815 (5%)	(322 archived)
WEB-IIS multiple decode attempt        web-application-attack       
28508 (5%)	(307 archived)
WEB-IIS multiple decode attempt        web-application-attack       
28199 (5%)	(309 archived)
WEB-IIS multiple decode attempt        web-application-attack       
27916 (5%)	(283 archived)
WEB-IIS multiple decode attempt        web-application-attack       
27481 (5%)	(435 archived)

I have successfully archived up to 20,000 alerts at one time in the
past.  I've checked the Apache logs for any errors and the mysql logs
don't appear to be recording (i.e. I can't find a mysqld.log anywhere). 
I'm not a very savvy MySQL admin, and have not been able to find any
meaningful logs.  The ACID-FAQ B-10 alludes to making some extra
indexes, but doesn't include instructions for creating them.  I've
optimized both the primary and archive databases using the procedure in
B-10 (the last archive attempt above shot up about 50%).

Here's some summary stats to give an idea of how big my database is:

Sensors: 25 [This is actually 3 sensors with a succession of BPF filters
             applied.]
Unique Alerts: 715    (   23 categories   )
Total Number of Alerts: 541495
Source IP addresses: 13800
Dest. IP addresses: 45986
Unique IP links 69740

I've toyed with max_execution_time in php.ini, going from 30 to 300 to
900, with no effect.

Any suggestions or good chapters in manuals to read about this?

Thanks,
Owen Crow
Systems Programmer (Unix)
BMC Software, Inc.




More information about the Snort-users mailing list