Re: Snort, MySQL, Acid

["Ian Macdonald" <secsnort () dirk demon co uk>]

You might want to have a look at www.dirk.demon.co.uk/tools. I wrote some
scripts for managing the snort part of the database. The idea was that you
could run it every night in a  cron job or scheduled task. I am thinking
about extending them to create a complete copy of the demarc data as well so
you could have say 5 days in the active store that you monitor then another
copy of the demarc console installed that hits the archive database. This
would give you the ability to go back and loook at archived data, but with
the knowledge that it might take some time to bring back data


Ou of interest which setting in the IIS did you change. I couldn't track
down the setting that would stop the cgi-timeout messages in IIS.

Thanks

Ian
----- Original Message -----
From: "Whaley, Mike" <mwhaley () rightnow com>
To: "'Anton A. Chuvakin'" <anton () chuvakin org>; "Tim Sailer"
<sailer () bnl gov>
Cc: "Redman, Ken" <ken.redman () mssm edu>; "Snort Users List (E-mail)"
<snort-users () lists sourceforge net>
Sent: Monday, May 06, 2002 4:12 PM
Subject: RE: [Snort-users] Snort, MySQL, Acid


> I have the same configuration on win2k and I just fixed this problem with
> mine.  First, increase your timeout value in your acid_conf.php file.
Next
> you'll get cgi errors for IIS is you are running that.  Increase your
> timeout for IIS and that should fix it.  For about 25,000 records it takes
> about 1300 seconds to move the data to another archive on my machine.
> Everything works great now and I can successfully move, copy, and delete
> large amounts of data.
>
> Mike Whaley
>
> -----Original Message-----
> From: Anton A. Chuvakin [mailto:anton () chuvakin org]
> Sent: Monday, May 06, 2002 1:33 PM
> To: Tim Sailer
> Cc: Redman, Ken; Snort Users List (E-mail)
> Subject: Re: [Snort-users] Snort, MySQL, Acid
> Importance: High
>
>
> Hello,
>
> > I think the easiest way, since you have ACID, is to query on your IP
> > address in ACID, and then tell it to delete the whole query. It will
> > clean up nicely.
> Not it if you have 100,000 records or more.
>
> Sorry for a one-liner, but archiving/deleting with ACID for large
> databases is very unstable. I have not found a way to recover my
> ACID/snort database after it was flooded by thousands of records. That
> leaves in pretty much unusable shape.
>
> Best,
> --
>      Anton A. Chuvakin, Ph.D.
>      http://www.chuvakin.org
>    http://www.info-secure.org
>
>
> _
>
> _______________________________________________________________
>
> Have big pipes? SourceForge.net is looking for download mirrors. We supply
> the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users