[Snort-users] Archiving events via BASE

a0037 a0037 at ...14157...
Fri Jun 22 12:46:32 EDT 2007


On Fri, Jun 22, 2007 at 03:23:05AM -0700, David Ryan wrote:
 
> There seems to be a problem with the archiving function, 
> but I don't know if I am using it incorrectly.  I had one 
> particular alert with 15,000+ events, so I went in to the 
> view of unique alerts, selected the relevant icon on the 
> list and selected 'archive (move) selected' from the actions.  
> After a long time the transaction seemed to finish OK, 
> but when I went in to look at it again there was still 
> some large number of these events . . . maybe 5,000+.  
> I checked the archive database and many of the entries 
> had been moved.  I repeated the procedure and it came down 
> to 1,000+ events.  Then I repeated it and it left 1.  
> No matter how many times I repeat, this 1 event will not move.
> 
> So, here's the question - how come when I asked BASE to move 
> all the records of a particular type it only moved part of them, 
> and how come it refuses to move the last transaction ?  
> It makes me a bit wary of the archive funtion if it has this 
> type of issue.

Hi,

php knows a timeout for each script. BASE increases this timeout
a little bit, but not enough for such a huge number of alerts.
In base_conf.php look for a line like

	$max_script_runtime = 180;

Set this to 6000 or whatever:

	$max_script_runtime = 6000;

Bye, bye,

Juergen





More information about the Snort-users mailing list