[Snort-users] Where's Waldo?

Paul Schmehl pschmehl_lists at ...14358...
Thu Oct 11 23:17:07 EDT 2012


Look in the base config file (base_conf.php).  You will find these 
configuration options:

$refresh_stat_page = 1;
$refresh_all_pages = 0;
$stat_page_refresh_time = 180;

If 3 minutes is too long a refresh time for you, change it.

--On October 11, 2012 5:08:19 PM -0700 AllowOverride 
<allowoverride at ...11827...> wrote:

> base is working, just not refreshing new data after clearing tables with
> radio button on base gui.
>
> not a biggy, it still logs after a short while, havent found exact times
> though, but i would say less than 24 hours it will populate base gui
> again. just odd...
>
> On Thu, 2012-10-11 at 18:05 -0400, Michael Steele wrote:
>> BASE is a great place to start out. Maybe when you get everything working
>> properly then make the switch.
>>
>> BASE is a viable option, it may not have a developer behind it right now,
>> but it's viable as a snort console.
>>
>> Michael...
>>
>> -----Original Message-----
>> From: AllowOverride [mailto:allowoverride at ...11827...]
>> Sent: Thursday, October 11, 2012 5:38 PM
>> To: Peter Bates
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Where's Waldo?
>>
>> im looking into snorby, since base is dead... thanks
>>
>> On Thu, 2012-10-11 at 20:58 +0100, Peter Bates wrote:
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> >
>> > Hello all
>> >
>> > On 11/10/2012 20:29, AllowOverride wrote:
>> > > just a test, i will clear tables, and close browser, come back in 1
>> > > hour increments, and see if that is the issue, it takes an hour to
>> > > input new data after base clear table buttons have cleared. im
>> > > assume there is a switch in the configs to make it quicker.
>> >
>> > I've never personally looked for the option to clear tables in BASE
>> > but I can say I use a script called archivesnort.pl which moves alerts
>> > after 7 days to the archive DB and deletes them after 30.
>> >
>> > If that is available with BASE I'd suggest you try that - i.e.
>> > modifying the database outside of the web interface - if you can't
>> > find it I can post it to the ML.
>> >
>> > That's what we do and I've never seen the problem you're describing.
>> >
>> > Alternatively, why not look at Snorby as a WUI - that has an inbuilt
>> > option to trim(*) the database after a fixed number of events.
>> >
>> > * - by trim I mean 'delete oldest events but not the entire contents
>> > of the table' - I can't think of a better word.
>> >
>> > - --
>> > Peter Bates
>> > Senior Computer Security Officer    Phone: +44(0)2076792049
>> > Information Services Division	    Internal Ext: 32049
>> > University College London
>> > London WC1E 6BT
>> > -----BEGIN PGP SIGNATURE-----
>> > Version: GnuPG v1.4.11 (Darwin)
>> > Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>> >
>> > iQEcBAEBAgAGBQJQdyTUAAoJELhVoVpEMS6RsvgH/iJ00PzneI6hlwoFiZz2Xtab
>> > D+T9Xr69BcHxlZ8FLpWWkkJQWxaeLIIQUKs6yWdkeD3Nn+8P9prpHFfdCeIV55a4
>> > ICMyIuPj09EMMWyTLQzO2+VZwYh4RmJ4e/XuyD2VAfYobScJdrz6/fHsV6mn0Bm/
>> > J3SaKlYA4Wm/ou+x5rvJW3J9gSOpQoLfLTUBqBnr3yv8SxiKJQw1WZvYHr2LF0lb
>> > NxgaQlNjVZtokg0B3fIj6Dhhyecj7M+tjrSs0wqqXd5rU1oOgvDwdiLr1LfYNCAs
>> > zBd87P9j1mVF9VlLgBhtLr+3/jOVIGAooQK4QWOtLtASmrlBOp7H4rhhIxvP5oQ=
>> > =S82d
>> > -----END PGP SIGNATURE-----
>> >
>> >
>> > ----------------------------------------------------------------------
>> > -------- Don't let slow site performance ruin your business. Deploy
>> > New Relic APM Deploy New Relic app performance management and know
>> > exactly what is happening inside your Ruby, Python, PHP, Java, and
>> > .NET app Try New Relic at no cost today and get our sweet Data Nerd
>> > shirt too!
>> > http://p.sf.net/sfu/newrelic-dev2dev
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> > Snort
>> news!
>>
>>
>> ------------------------------------------------------------------------
>> ---- --
>> Don't let slow site performance ruin your business. Deploy New Relic APM
>> Deploy New Relic app performance management and know exactly what is
>> happening inside your Ruby, Python, PHP, Java, and .NET app Try New
>> Relic at no cost today and get our sweet Data Nerd shirt too!
>> http://p.sf.net/sfu/newrelic-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
> -------------------------------------------------------------------------
> ----- Don't let slow site performance ruin your business. Deploy New
> Relic APM Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell





More information about the Snort-users mailing list