[Snort-users] Finding alerts taking up the most database space

McCash, John John.McCash at ...10979...
Wed Sep 22 12:48:03 EDT 2004


Hi Shirkdog,
	The 6G was for a three month timeframe, which is my defined
retention period. I'm working on adding pass rules to filter the data,
and I've got my sensors, web server, and DB on different hosts. And the
DB runs on a fairly high performance server (even if it is on Windows
:-(). I didn't say it was a snort problem, I just asked if anyone knew
an easy way to pinpoint which alerts were taking up the most DB space.
You'd think that a 3.5GHz quad processor box with 4G of RAM, and a
(admittedly only 3 disk) raid array for the DB storage, could handle a
bit larger database size before choking... I've tuned the mysql
configuration as best I can given what I've been able to find on the
Internet, but there may be some database hacks that I've missed.
		Thanks anyway
			John

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of M Shirk
Sent: Monday, September 13, 2004 11:32 AM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Finding alerts taking up the most database
space

When using an IDS in general, if you have 6G of data for a very short 
time-frame, you may need to either tune your sensor by filtering, or by 
archiving that data.

If this is for a business/project, you need to have a definition of the 
time-frame to keep live data available for analysis. One of the clients
I 
worked with created 2 GB of data every 3 months. I knew what the problem

was, but they did not let us filter :-). They wanted this info for
trending 
(don't ask).

I think others on the list would chime in that this is not a snort
problem 
because snort is working.

Do you have snort and the mysql DB and your webserver all on the same 
server? I have run this configuration just for testing and it kills my 
rather old system with 160MB of RAM.

Shirkdog.
http://www.shirkdog.us

>From: "McCash, John" <John.McCash at ...10979...>
>To: <snort-users at lists.sourceforge.net>
>Subject: [Snort-users] Finding alerts taking up the most database space
>Date: Fri, 10 Sep 2004 11:20:47 -0500
>
>Hi,
>
>                I currently am running snort and acid with mysql, and
my
>database size is getting up around 6G. The data table, data.MYD alone
is
>about 3.3G. As you may imagine, my db performance is lousy. Does anyone
>have an easy way of determining which alerts are taking up the greatest
>amount of db space, so that I can selectively prune those entries?
>
>                               Thanks in advance
>
>                                              John McCash
>
>-----------------------------------------------------------------------
-------------------------
>This message is for the designated recipient only and may
>contain privileged, proprietary, or otherwise private information.
>If you have received it in error, please notify the sender
>immediately and delete the original.  Any unauthorized use of
>this email is prohibited.
>-----------------------------------------------------------------------
-------------------------
>[mf2]

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's
FREE! 
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/



-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.
------------------------------------------------------------------------------------------------
[mf2]




More information about the Snort-users mailing list