[Snort-users] Snort Overloading BASE?

Joel Esler jesler at ...1935...
Wed Jan 20 17:50:42 EST 2010


It appears that you have it on two different lines (the bpf statement).

Can you put it on one continuous line and try it again?

J

On Wed, Jan 20, 2010 at 3:53 PM, James Chase <chase1124 at ...11827...> wrote:

> Thanks, Alex.
>
> I'm using MySQL, do you know if there is a script that will work for that
> as well?
>
> I've tried using some filtering, but whenever use this .bpf file, snort
> doesn't log ANYTHING. I'm not sure I see what is wrong with my tcpdump
> syntax here:
>
> [jchase at ...9687... ~]$ cat /etc/snort/ignore.bpf.bak
> not src host xxx.xxx.xxx.163 and port 25
> and not host 192.168.1.30 and port 161
>
> snort    14221     1  0  2009 ?        00:00:00 /usr/sbin/snort -D -i eth0
> -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort -F
> /etc/snort/ignore.bpf
>
> On Wed, Jan 20, 2010 at 3:44 PM, Alexander Novokhatsky <
> alex.ontario at ...11827...> wrote:
>
>>  Hello James,
>>
>> I've set up Referential Integrity via foreign keys in database(MS SQL) and
>> then created a job to remove outdated events based on dbo.event.timestamp
>> column.
>> SQL script, required for creating Referential Integrity is included in
>> BASE sources. Just look them through.
>>
>> All other tables are updated automaticaly.
>>
>> I try to keep alerts number in BASE around 100.000 It becomes unusable
>> when the number exceeds 500.000 alerts.
>>
>> Also consider using threshold and suppress rules in snort. It can help to
>> reduce alerts count.
>>
>>
>>
>> Wednesday, January 20, 2010, 3:24:31 PM, you wrote:
>>
>>
>>  I'm running snort-2.8.5-1 on CentOS 5.4 and collecting snort alerts to a
>> database with barnyard2. The problem is snort seems to be generating so many
>> alerts that whenever I load the BASE page it takes 5 or 10 minutes to
>> display! I believe it is just processing the new alerts but it really makes
>> the system unusable.
>>
>> Is there anything that can be done to clear out the DB of old alerts
>> automatically or anyone else that has experienced this problem?
>>
>> --
>> "Beware of all enterprises that require new clothes."
>>  --  Henry David Thoreau
>>
>>
>>
>> *--
>> Best regards,
>>  Alexander                            mailto:alex.ontario at ...11827...<alex.ontario at ...11827...>
>> *
>>
>
>
>
> --
> "Beware of all enterprises that require new clothes."
>  --  Henry David Thoreau
>
>
> ------------------------------------------------------------------------------
> Throughout its 18-year history, RSA Conference consistently attracts the
> world's best and brightest in the field, creating opportunities for
> Conference
> attendees to learn about information security's most important issues
> through
> interactions with peers, luminaries and emerging and established companies.
> http://p.sf.net/sfu/rsaconf-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Joel Esler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100120/69a9280f/attachment.html>


More information about the Snort-users mailing list