[Snort-users] Re: ACID / ALERT console browsing issue

Josh Berry josh.berry at ...10268...
Wed Dec 3 08:42:02 EST 2003


I separate the DB from the Apache front end, and make a few small
modifications to acid_conf.php.

I disable the page refresh, set show_previous_alert to 0, disable
resolve_ip, disable show_summary_stats, disable event_cache_auto_update,
disable maintain_history.  The most important is disabling the
event_cache_auto_update (however, if you disable this you will need to go
to the cache and status page periodically to update the cache).   This
will significantly boost the performance.

Also, add indexes on:
acid_event.sid
acid_event.cid
tcphdr.tcp_sport
tcphdr.tcp_dport
acid_ag_alert.ag_sid
acid_ag_alert.ag_cid


> I've had similar issues and tried tweaking everything possible.  The only
> solution was more powerful hardware on the machine running ACID.  I'm not
> sure if that's the case for you but if you're logging the alerts to the
> same machine that's running ACID and you see that it's faster when Snort
> isn't running, I think this is the case.  I moved MySQL and ACID to a dual
> XEON 2ghz with 2gb RAM and it's now faster than I ever thought possible. I
> used to run the same setup on Solaris 8 on a Sunfire V100, faster than
> what you have (I think) and even on that it was intolerably slow.  The
> reason I finally moved everything to the dual XEON machine was because I
> average about 1000 alerts per day globally (5 sensors) and MySQL would
> timeout when I tried deleting more than a couple thousand alerts.  I
> thought MySQL needed to be tweaked but like I said, I tried and tried to
> no avail.  My guess is hardware.
>
> Adam Peterson | Senior WAN Engineer | SPL WorldGroup |
> adam_peterson at ...10608... | +1.415.357.4787
>
>
> From: Shekar Reddy <shekar.reddy at ...10553...>
> To: snort-users at lists.sourceforge.net
> Date: Tue, 25 Nov 2003 12:17:15 -0800
> Subject: [Snort-users] ACID / ALERT console browsing issue
>
> Hi,
>
> I'm running SNORT 2.0.4 and ACID on Sun ULTRA 5 workstation with Solaris 9
> O.S.
>
> I'm experiencing SNORT / ACID performance problems on a live network. It
> takes more than 120 seconds to move from one page to another while
> browsing
> ACID console. Just wanted to know how to optimize. It was all OK in a test
> environment. It used to take just 2 seconds to load the pages.
>
> Here is SNORT hardware information:
>
> Snort 1 (+ACID +snortcenter) : sun ultra 5 SPARC IIi 360MHz, 512 MB, 10GB
> Snort2 sensor : sun ultra 5 SPARC IIi 360MHz, 512 MB, 10GB
>
> Here's one more glitch: snort boxes are in datacenter and I'm trying to
> browse ACID console from my work place through my VPN session to
> datacenter.
>
>
> NOTE: I don't have any VPN latency issues for other applications. We have
> a
> partial DS3 connection at our work place too.
>
> Here is an important NOTE: When I stop mirroring the traffic, I see
> significant browsing performance.
>
> Please let me know what is the bottleneck here. Acid main page itself will
> take 120 seconds to download. How can I improve the ACID CONSOLE browsing
> performance?
>
> NOTE: I haven't tried browsing ACID directly from snort/ACID machine. I'll
> try that and post it later.
>
> Any suggestions are appreciated...
>
> Thanks
> S
>


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
josh.berry at ...10268...





More information about the Snort-users mailing list