Snort mailing list archives

Re: ACID / ALERT console browsing issue

From: adam_peterson () splwg com
Date: Tue, 25 Nov 2003 13:33:28 -0800

I've had similar issues and tried tweaking everything possible.  The only 
solution was more powerful hardware on the machine running ACID.  I'm not 
sure if that's the case for you but if you're logging the alerts to the 
same machine that's running ACID and you see that it's faster when Snort 
isn't running, I think this is the case.  I moved MySQL and ACID to a dual 
XEON 2ghz with 2gb RAM and it's now faster than I ever thought possible. I 
used to run the same setup on Solaris 8 on a Sunfire V100, faster than 
what you have (I think) and even on that it was intolerably slow.  The 
reason I finally moved everything to the dual XEON machine was because I 
average about 1000 alerts per day globally (5 sensors) and MySQL would 
timeout when I tried deleting more than a couple thousand alerts.  I 
thought MySQL needed to be tweaked but like I said, I tried and tried to 
no avail.  My guess is hardware.

Adam Peterson | Senior WAN Engineer | SPL WorldGroup | 
adam_peterson () splwg com | +1.415.357.4787


From: Shekar Reddy <shekar.reddy () propel com>
To: snort-users () lists sourceforge net
Date: Tue, 25 Nov 2003 12:17:15 -0800
Subject: [Snort-users] ACID / ALERT console browsing issue

Hi,

I'm running SNORT 2.0.4 and ACID on Sun ULTRA 5 workstation with Solaris 9
O.S.

I'm experiencing SNORT / ACID performance problems on a live network. It
takes more than 120 seconds to move from one page to another while 
browsing
ACID console. Just wanted to know how to optimize. It was all OK in a test
environment. It used to take just 2 seconds to load the pages.

Here is SNORT hardware information:

Snort 1 (+ACID +snortcenter) : sun ultra 5 SPARC IIi 360MHz, 512 MB, 10GB
Snort2 sensor : sun ultra 5 SPARC IIi 360MHz, 512 MB, 10GB

Here's one more glitch: snort boxes are in datacenter and I'm trying to
browse ACID console from my work place through my VPN session to 
datacenter.


NOTE: I don't have any VPN latency issues for other applications. We have 
a
partial DS3 connection at our work place too. 

Here is an important NOTE: When I stop mirroring the traffic, I see
significant browsing performance.

Please let me know what is the bottleneck here. Acid main page itself will
take 120 seconds to download. How can I improve the ACID CONSOLE browsing
performance?

NOTE: I haven't tried browsing ACID directly from snort/ACID machine. I'll
try that and post it later. 

Any suggestions are appreciated...

Thanks
S

Current thread:

ACID / ALERT console browsing issue Shekar Reddy (Nov 25)
- <Possible follow-ups>
- Re: ACID / ALERT console browsing issue adam_peterson (Nov 25)
  - Re: Re: ACID / ALERT console browsing issue Josh Berry (Dec 03)
- RE: Re: ACID / ALERT console browsing issue Schmehl, Paul L (Dec 03)