[Snort-users] Finding alerts taking up the most database space

M Shirk shirkdog_linux at ...125...
Mon Sep 13 09:45:15 EDT 2004

When using an IDS in general, if you have 6G of data for a very short 
time-frame, you may need to either tune your sensor by filtering, or by 
archiving that data.

If this is for a business/project, you need to have a definition of the 
time-frame to keep live data available for analysis. One of the clients I 
worked with created 2 GB of data every 3 months. I knew what the problem 
was, but they did not let us filter :-). They wanted this info for trending 
(don't ask).

I think others on the list would chime in that this is not a snort problem 
because snort is working.

Do you have snort and the mysql DB and your webserver all on the same 
server? I have run this configuration just for testing and it kills my 
rather old system with 160MB of RAM.


>From: "McCash, John" <John.McCash at ...10979...>
>To: <snort-users at lists.sourceforge.net>
>Subject: [Snort-users] Finding alerts taking up the most database space
>Date: Fri, 10 Sep 2004 11:20:47 -0500
>                I currently am running snort and acid with mysql, and my
>database size is getting up around 6G. The data table, data.MYD alone is
>about 3.3G. As you may imagine, my db performance is lousy. Does anyone
>have an easy way of determining which alerts are taking up the greatest
>amount of db space, so that I can selectively prune those entries?
>                               Thanks in advance
>                                              John McCash
>This message is for the designated recipient only and may
>contain privileged, proprietary, or otherwise private information.
>If you have received it in error, please notify the sender
>immediately and delete the original.  Any unauthorized use of
>this email is prohibited.

Express yourself instantly with MSN Messenger! Download today - it's FREE! 

More information about the Snort-users mailing list