[Snort-users] Where's Waldo?

Michael Steele michaels at ...9077...
Thu Oct 11 17:06:19 EDT 2012


Don't know where you got the idea of a wait. I see events instantly as soon
as I refresh BASE. There is no lag time between snort to log file, Barnyard2
grabbing the event from the log, Barnyard2 shuttling the event to the
database, (and here is where there should only be lag) the user refreshing
BASE (or just allow BASE to refresh itself).  

Michael...

-----Original Message-----
From: AllowOverride [mailto:allowoverride at ...11827...] 
Sent: Thursday, October 11, 2012 3:30 PM
To: wkitty42 at ...14940...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Where's Waldo?

it appears to be logging data again to base, so you are saying, wait 24
hours for new data to be present?
ic, your point about 1 hour, as most of the configs state 1 hour, however,
when i first pinged server and ICMP hits were displayed on base, it was
instantaneous. so you see where i get my idea, that after clearing a
completely blank table, displayed data on base, and by clearing tables, it
wont display data quickly EVEN after i restart services, or clear or
snort.logs,alerts, or restart snort/barnyard2 processes. see my point?

i see yours. thanks.

just a test, i will clear tables, and close browser, come back in 1 hour
increments, and see if that is the issue, it takes an hour to input new data
after base clear table buttons have cleared. im assume there is a switch in
the configs to make it quicker. 

any idea of what that line or file name is, in /var/www/base-1.4.5/* ?
what keyword to grep for?

thanks!!



On Wed, 2012-10-10 at 20:56 -0400, waldo kitty wrote:
> On 10/10/2012 17:55, AllowOverride wrote:
> > yes exactly, i believe that also to be a possible issue, as it will 
> > only restart to send to mysql after in restart each piece of this pig
puzzle.
> > although, sometimes, it will resend if i restart apache2, or snort, 
> > or
> > barnyard2 in random order...
> 
> maybe there's an automatic restart for the failing process and your 
> attempts to force the issue and make it restart are confusing things? 
> how long have you left it alone once you clicked on the [clear tables]
button? 30 minutes? an hour?
> 
> i ask because one of the systems i work with has a similar feature... 
> in some cases, it can take a day for the database stuffings to catch 
> up and start providing some data...
> 
> REMEMBER: a feature is an undocumented bug. the first fix is generally 
> to document it as a feature ;)
> 
> ----------------------------------------------------------------------
> -------- Don't let slow site performance ruin your business. Deploy 
> New Relic APM Deploy New Relic app performance management and know 
> exactly what is happening inside your Ruby, Python, PHP, Java, and 
> .NET app Try New Relic at no cost today and get our sweet Data Nerd 
> shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort
news!


----------------------------------------------------------------------------
--
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly what is
happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at
no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!





More information about the Snort-users mailing list