[Snort-users] Snort Overloading BASE?

James Chase chase1124 at ...11827...
Wed Jan 20 15:53:00 EST 2010


Thanks, Alex.

I'm using MySQL, do you know if there is a script that will work for that as
well?

I've tried using some filtering, but whenever use this .bpf file, snort
doesn't log ANYTHING. I'm not sure I see what is wrong with my tcpdump
syntax here:

[jchase at ...9687... ~]$ cat /etc/snort/ignore.bpf.bak
not src host xxx.xxx.xxx.163 and port 25
and not host 192.168.1.30 and port 161

snort    14221     1  0  2009 ?        00:00:00 /usr/sbin/snort -D -i eth0
-u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort -F
/etc/snort/ignore.bpf

On Wed, Jan 20, 2010 at 3:44 PM, Alexander Novokhatsky <
alex.ontario at ...11827...> wrote:

>  Hello James,
>
> I've set up Referential Integrity via foreign keys in database(MS SQL) and
> then created a job to remove outdated events based on dbo.event.timestamp
> column.
> SQL script, required for creating Referential Integrity is included in BASE
> sources. Just look them through.
>
> All other tables are updated automaticaly.
>
> I try to keep alerts number in BASE around 100.000 It becomes unusable when
> the number exceeds 500.000 alerts.
>
> Also consider using threshold and suppress rules in snort. It can help to
> reduce alerts count.
>
>
>
> Wednesday, January 20, 2010, 3:24:31 PM, you wrote:
>
>
>  I'm running snort-2.8.5-1 on CentOS 5.4 and collecting snort alerts to a
> database with barnyard2. The problem is snort seems to be generating so many
> alerts that whenever I load the BASE page it takes 5 or 10 minutes to
> display! I believe it is just processing the new alerts but it really makes
> the system unusable.
>
> Is there anything that can be done to clear out the DB of old alerts
> automatically or anyone else that has experienced this problem?
>
> --
> "Beware of all enterprises that require new clothes."
>  --  Henry David Thoreau
>
>
>
> *--
> Best regards,
>  Alexander                            mailto:alex.ontario at ...11827...<alex.ontario at ...11827...>
> *
>



-- 
"Beware of all enterprises that require new clothes."
 --  Henry David Thoreau
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100120/353018e7/attachment.html>


More information about the Snort-users mailing list