[Snort-users] Where's Waldo?

AllowOverride allowoverride at ...11827...
Fri Oct 12 13:00:12 EDT 2012


hey paul, thanks man! 

On Thu, 2012-10-11 at 22:17 -0500, Paul Schmehl wrote:
> Look in the base config file (base_conf.php).  You will find these 
> configuration options:
> 
> $refresh_stat_page = 1;
> $refresh_all_pages = 0;
> $stat_page_refresh_time = 180;
> 
> If 3 minutes is too long a refresh time for you, change it.
> 
> --On October 11, 2012 5:08:19 PM -0700 AllowOverride 
> <allowoverride at ...11827...> wrote:
> 
> > base is working, just not refreshing new data after clearing tables with
> > radio button on base gui.
> >
> > not a biggy, it still logs after a short while, havent found exact times
> > though, but i would say less than 24 hours it will populate base gui
> > again. just odd...
> >
> > On Thu, 2012-10-11 at 18:05 -0400, Michael Steele wrote:
> >> BASE is a great place to start out. Maybe when you get everything working
> >> properly then make the switch.
> >>
> >> BASE is a viable option, it may not have a developer behind it right now,
> >> but it's viable as a snort console.
> >>
> >> Michael...
> >>
> >> -----Original Message-----
> >> From: AllowOverride [mailto:allowoverride at ...11827...]
> >> Sent: Thursday, October 11, 2012 5:38 PM
> >> To: Peter Bates
> >> Cc: snort-users at lists.sourceforge.net
> >> Subject: Re: [Snort-users] Where's Waldo?
> >>
> >> im looking into snorby, since base is dead... thanks
> >>
> >> On Thu, 2012-10-11 at 20:58 +0100, Peter Bates wrote:
> >> > -----BEGIN PGP SIGNED MESSAGE-----
> >> > Hash: SHA1
> >> >
> >> >
> >> > Hello all
> >> >
> >> > On 11/10/2012 20:29, AllowOverride wrote:
> >> > > just a test, i will clear tables, and close browser, come back in 1
> >> > > hour increments, and see if that is the issue, it takes an hour to
> >> > > input new data after base clear table buttons have cleared. im
> >> > > assume there is a switch in the configs to make it quicker.
> >> >
> >> > I've never personally looked for the option to clear tables in BASE
> >> > but I can say I use a script called archivesnort.pl which moves alerts
> >> > after 7 days to the archive DB and deletes them after 30.
> >> >
> >> > If that is available with BASE I'd suggest you try that - i.e.
> >> > modifying the database outside of the web interface - if you can't
> >> > find it I can post it to the ML.
> >> >
> >> > That's what we do and I've never seen the problem you're describing.
> >> >
> >> > Alternatively, why not look at Snorby as a WUI - that has an inbuilt
> >> > option to trim(*) the database after a fixed number of events.
> >> >
> >> > * - by trim I mean 'delete oldest events but not the entire contents
> >> > of the table' - I can't think of a better word.
> >> >
> >> > - --
> >> > Peter Bates
> >> > Senior Computer Security Officer    Phone: +44(0)2076792049
> >> > Information Services Division	    Internal Ext: 32049
> >> > University College London
> >> > London WC1E 6BT
> >> > -----BEGIN PGP SIGNATURE-----
> >> > Version: GnuPG v1.4.11 (Darwin)
> >> > Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
> >> >
> >> > iQEcBAEBAgAGBQJQdyTUAAoJELhVoVpEMS6RsvgH/iJ00PzneI6hlwoFiZz2Xtab
> >> > D+T9Xr69BcHxlZ8FLpWWkkJQWxaeLIIQUKs6yWdkeD3Nn+8P9prpHFfdCeIV55a4
> >> > ICMyIuPj09EMMWyTLQzO2+VZwYh4RmJ4e/XuyD2VAfYobScJdrz6/fHsV6mn0Bm/
> >> > J3SaKlYA4Wm/ou+x5rvJW3J9gSOpQoLfLTUBqBnr3yv8SxiKJQw1WZvYHr2LF0lb
> >> > NxgaQlNjVZtokg0B3fIj6Dhhyecj7M+tjrSs0wqqXd5rU1oOgvDwdiLr1LfYNCAs
> >> > zBd87P9j1mVF9VlLgBhtLr+3/jOVIGAooQK4QWOtLtASmrlBOp7H4rhhIxvP5oQ=
> >> > =S82d
> >> > -----END PGP SIGNATURE-----
> >> >
> >> >
> >> > ----------------------------------------------------------------------
> >> > -------- Don't let slow site performance ruin your business. Deploy
> >> > New Relic APM Deploy New Relic app performance management and know
> >> > exactly what is happening inside your Ruby, Python, PHP, Java, and
> >> > .NET app Try New Relic at no cost today and get our sweet Data Nerd
> >> > shirt too!
> >> > http://p.sf.net/sfu/newrelic-dev2dev
> >> > _______________________________________________
> >> > Snort-users mailing list
> >> > Snort-users at lists.sourceforge.net
> >> > Go to this URL to change user options or unsubscribe:
> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
> >> > Snort-users list archive:
> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >> >
> >> > Please visit http://blog.snort.org to stay current on all the latest
> >> > Snort
> >> news!
> >>
> >>
> >> ------------------------------------------------------------------------
> >> ---- --
> >> Don't let slow site performance ruin your business. Deploy New Relic APM
> >> Deploy New Relic app performance management and know exactly what is
> >> happening inside your Ruby, Python, PHP, Java, and .NET app Try New
> >> Relic at no cost today and get our sweet Data Nerd shirt too!
> >> http://p.sf.net/sfu/newrelic-dev2dev
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> >> Snort news!
> >>
> >
> >
> > -------------------------------------------------------------------------
> > ----- Don't let slow site performance ruin your business. Deploy New
> > Relic APM Deploy New Relic app performance management and know exactly
> > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> > Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> 
> 
> 
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> "There are some ideas so wrong that only a very
> intelligent person could believe in them." George Orwell
> 





More information about the Snort-users mailing list