[Snort-users] ACID 0.9.6b23 Search page issue

Erick Mechler emechler at ...7719...
Tue Jan 28 17:51:10 EST 2003


:: This happens with a db that has ~60k events in it.  I recently (yesterday)
:: deleted ~1M rows but after that the tables were optimized.  I'm trying to
:: get to the point where I archive on a regular basis - part of that process
:: invloves searching, which is where I'm stuck now :-).

How long does it take for the search page to come up (even in a partial
state)?  How big is the Snort data table on your disk?  I've seen problems
with ACID where you try to remove old alerts, but it only removes the alert
entry from the acid_alert table, not the data table.  As such, when I
thought I was cleaning out old stuff I really had a data table that wasn't
getting cleaned out.

This data inconsistentcy that seems to present itself with large tables is 
fairly worrisome which is why I'm writing a small DBI script to remove old 
alerts entirely.

Cheers - Erick




More information about the Snort-users mailing list