[Snort-users] Acid slowness

JP Vossen vossenjp at ...8683...
Wed Apr 16 22:38:06 EDT 2003


> Message: 2
> Date: Wed, 16 Apr 2003 14:27:50 -0500
> From: "Dusty Hall" <halljer at ...8709...>
> To: <vulcan20mm1 at ...5068...>,<mike at ...8840...>
> Cc: <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Acid slowness
>
> Did you take a look at the snort supplied optimize script?

Do you have a pointer for that?  I could not find anything in the Snort 2
source (esp contrib).  Or do you mean [0]?


> Essentially you can just login mysql, use snort, optimize each table
> (optimize table acid_ag,acid_events....etc).  That usually works pretty
> well for me.

But only if there are "holes" in the data?  Or not?  See the script for that
in [0].

I am running Snort/ACID on an ancient P133.  It ran OK (slow, but OK) at
first.  Now I'm at around 140K records and it's a slug.  I have not made a
really serious tuning attempt, but per [0] I did check the indexes.  Contrary
to [0] all three recommended indexes already existed.  (See below.)  I know
H/W is cheap but this is a home project on the side, so...  Don't laugh, the
honeypot is a 486. :-)  I did also poke around the ACID FAQ, but again not too
seriously yet.

I also made some tweaks to /etc/my.cnf (as per
/usr/share/doc/mysql-server-3.23.54a/my-medium.cnf)...  Didn't seem to affect
anything.


TIA,
JP

[0] http://archives.neohapsis.com/archives/snort/2002-07/0407.html

Snort 1.9.1 (but I only had the 2.0.0 source handy)
ACID 0.9.6b23
The SQL create scripts were from Snort 1.9.1 and ACID 0.9.6b23.


mysql> show index from tcphdr\G
*************************** 3. row ***************************
       Table: tcphdr
  Non_unique: 1
    Key_name: tcp_sport
Seq_in_index: 1
 Column_name: tcp_sport
*************************** 4. row ***************************
       Table: tcphdr
  Non_unique: 1
    Key_name: tcp_dport
Seq_in_index: 1
 Column_name: tcp_dport


mysql> show index from acid_ag_alert\G
*************************** 5. row ***************************
       Table: acid_ag_alert
  Non_unique: 1
    Key_name: ag_sid
Seq_in_index: 1
 Column_name: ag_sid
*************************** 6. row ***************************
       Table: acid_ag_alert
  Non_unique: 1
    Key_name: ag_sid
Seq_in_index: 2
 Column_name: ag_cid


------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp at ...8684...
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows 98 or better, so I installed
Linux..."





More information about the Snort-users mailing list