[Snort-users] event database size

Paul Schmehl pauls at ...6838...
Wed May 24 17:11:09 EDT 2006


Have you tried using my archive script?

<http://www.ntsug.org/downloads.html>

--On May 24, 2006 8:10:43 AM -0400 "Wright, Albert John (A J)" 
<ajw at ...6827...> wrote:

>
>
> In the "contrib" directory of previous versions of snort (2.2.0 maybe?)
> there was a snort_archdb perl script that still works with the current
> schema.  From what I can tell, it takes care of the problem with data
> dependencies between the various tables.
>
> It seems to be somewhat resource intensive.  Our 42Gb database takes an
> hour or two to purge.  When we originally started using it (and our DB
> was 350Gb), database connections would timeout before some commands would
> finish.
>
> Now, if others are using something different that has shown better
> results ... I'd love to know.
>
> --aj
>
> A. J. Wright -- <ajw at ...6827...>
> Senior Security Analyst, Information Security Office
> University of Tennessee, Knoxville
>
>
>
> __________________________________________________
> From: snort-users-admin at lists.sourceforge.net on behalf of John Newman
> Sent: Tue 2006-05-23 11:38 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] event database size
>
>
>
> Anyone out there know of any good pre-existing solutions to keeping the
> event database from growing ever bigger and bigger?  I suppose some
> simple sql code, e.g.
>
> delete from snort.event where time < 'XXXXX'
>
> or something like that....  is this what others are doing?
>
> --
> John Newman
> Systems Administrator, WebXess Inc.
>
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 3824 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060524/cedc893f/attachment.bin>


More information about the Snort-users mailing list