[Snort-users] Acid slowness

Dusty Hall halljer at ...8709...
Thu Apr 17 05:49:04 EDT 2003


Just try the following, it might help.

mysql -p -u root -D snort
show tables;
optimize table ag_alert,acid_event,....etc


-Dusty

>>> JP Vossen <vossenjp at ...8683...> 4/17/2003 12:37:32 AM >>>
> Message: 2
> Date: Wed, 16 Apr 2003 14:27:50 -0500
> From: "Dusty Hall" <halljer at ...8709...>
> To: <vulcan20mm1 at ...5068...>,<mike at ...8840...>
> Cc: <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Acid slowness
>
> Did you take a look at the snort supplied optimize script?

Do you have a pointer for that?  I could not find anything in the Snort
2
source (esp contrib).  Or do you mean [0]?


> Essentially you can just login mysql, use snort, optimize each table
> (optimize table acid_ag,acid_events....etc).  That usually works
pretty
> well for me.

But only if there are "holes" in the data?  Or not?  See the script for
that
in [0].

I am running Snort/ACID on an ancient P133.  It ran OK (slow, but OK)
at
first.  Now I'm at around 140K records and it's a slug.  I have not
made a
really serious tuning attempt, but per [0] I did check the indexes. 
Contrary
to [0] all three recommended indexes already existed.  (See below.)  I
know
H/W is cheap but this is a home project on the side, so...  Don't
laugh, the
honeypot is a 486. :-)  I did also poke around the ACID FAQ, but again
not too
seriously yet.

I also made some tweaks to /etc/my.cnf (as per
/usr/share/doc/mysql-server-3.23.54a/my-medium.cnf)...  Didn't seem to
affect
anything.


TIA,
JP

[0] http://archives.neohapsis.com/archives/snort/2002-07/0407.html 

Snort 1.9.1 (but I only had the 2.0.0 source handy)
ACID 0.9.6b23
The SQL create scripts were from Snort 1.9.1 and ACID 0.9.6b23.


mysql> show index from tcphdr\G
*************************** 3. row ***************************
       Table: tcphdr
  Non_unique: 1
    Key_name: tcp_sport
Seq_in_index: 1
 Column_name: tcp_sport
*************************** 4. row ***************************
       Table: tcphdr
  Non_unique: 1
    Key_name: tcp_dport
Seq_in_index: 1
 Column_name: tcp_dport


mysql> show index from acid_ag_alert\G
*************************** 5. row ***************************
       Table: acid_ag_alert
  Non_unique: 1
    Key_name: ag_sid
Seq_in_index: 1
 Column_name: ag_sid
*************************** 6. row ***************************
       Table: acid_ag_alert
  Non_unique: 1
    Key_name: ag_sid
Seq_in_index: 2
 Column_name: ag_cid


------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|               
jp at ...8684... 
My Account, My Opinions       |=========|      
http://www.jpsdomain.org/ 
------------------------------|=========|--------------------------------
"The software said it requires Windows 98 or better, so I installed
Linux..."



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf 
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list