[Snort-users] Snort, MySQL, Acid

Ian Macdonald secsnort at ...5528...
Tue May 7 07:19:05 EDT 2002


You might want to have a look at www.dirk.demon.co.uk/tools. I wrote some
scripts for managing the snort part of the database. The idea was that you
could run it every night in a  cron job or scheduled task. I am thinking
about extending them to create a complete copy of the demarc data as well so
you could have say 5 days in the active store that you monitor then another
copy of the demarc console installed that hits the archive database. This
would give you the ability to go back and loook at archived data, but with
the knowledge that it might take some time to bring back data


Ou of interest which setting in the IIS did you change. I couldn't track
down the setting that would stop the cgi-timeout messages in IIS.

Thanks

Ian
----- Original Message -----
From: "Whaley, Mike" <mwhaley at ...5464...>
To: "'Anton A. Chuvakin'" <anton at ...5376...>; "Tim Sailer"
<sailer at ...2968...>
Cc: "Redman, Ken" <ken.redman at ...5424...>; "Snort Users List (E-mail)"
<snort-users at lists.sourceforge.net>
Sent: Monday, May 06, 2002 4:12 PM
Subject: RE: [Snort-users] Snort, MySQL, Acid


> I have the same configuration on win2k and I just fixed this problem with
> mine.  First, increase your timeout value in your acid_conf.php file.
Next
> you'll get cgi errors for IIS is you are running that.  Increase your
> timeout for IIS and that should fix it.  For about 25,000 records it takes
> about 1300 seconds to move the data to another archive on my machine.
> Everything works great now and I can successfully move, copy, and delete
> large amounts of data.
>
> Mike Whaley
>
> -----Original Message-----
> From: Anton A. Chuvakin [mailto:anton at ...5376...]
> Sent: Monday, May 06, 2002 1:33 PM
> To: Tim Sailer
> Cc: Redman, Ken; Snort Users List (E-mail)
> Subject: Re: [Snort-users] Snort, MySQL, Acid
> Importance: High
>
>
> Hello,
>
> >I think the easiest way, since you have ACID, is to query on your IP
> >address in ACID, and then tell it to delete the whole query. It will
> >clean up nicely.
> Not it if you have 100,000 records or more.
>
> Sorry for a one-liner, but archiving/deleting with ACID for large
> databases is very unstable. I have not found a way to recover my
> ACID/snort database after it was flooded by thousands of records. That
> leaves in pretty much unusable shape.
>
> Best,
> --
>      Anton A. Chuvakin, Ph.D.
>      http://www.chuvakin.org
>    http://www.info-secure.org
>
>
> _
>
> _______________________________________________________________
>
> Have big pipes? SourceForge.net is looking for download mirrors. We supply
> the hardware. You get the recognition. Email Us: bandwidth at ...382...
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list