Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] exporting snort logs

from [Endre Szekely-Bencedi] Network Security [Permanent Link]
Subject: [Snort-users] exporting snort logs
Date: Tue, 23 Nov 2004 12:36:01 +0100 
Hi All,

I know this has been an over-discussed matter, however I did not find
anything that could help me.
I am supposed to export LARGE records from Snort database (mysql). I have
ACID also BASE set up on the machine.

PHP is giving me errors as I am exceeding the 8MB limit when trying to do a
CSV e-mail export on a certain alert that has almost 100,000 occurances. I
am trying to increase the amount of memory PHP can use to something like
256MB just to see, but this means that anyway I will have a cap. Was
wondering if there is any tool that can do this like exporting in chunks or
something to avoid this problem and to be able to export - theoretically -
any amount of data... appreciate any ideas on this.

Also, how you guys manage to identify false alarms? I am getting alerts for
"communication administratively prohibited" or something like that from a
few routers outside of our network for 19 IP addresses (8 machines) from
our network - there are like 140 machines - and this is up to almost
100,000. I did not manage to determinde yet what is causing this huge
amount of alerts... tcpdump looks pretty encrypted to me, didn't see
anything interesting yet just lots of packets towards our proxy server and
to some exchange server...

Any hints on how to do this? Perhaps some tools ... ?

Another problem, my queries are VERY slow, waiting 3-4-5 minutes sometimes
to get a result list from ACID (db is like 500,000 alerts now).
Machine is a 2.8GHz P4 / 512 RAM / 80 Gb HDD - 7200 RPM.

Is this normal or I have some problems in the mysql database?

Greetings,
Endre

"THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR THE
ADDRESSEE and may contain confidential and privileged information. If the
reader of this message is not the intended recipient, you are notified that
any dissemination, distribution or copy of this communication is strictly
prohibited. If you have received this message by error, please notify us
immediately, return the original mail to the sender and delete the message
from your system."



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] ignore a single host, Alex Butcher, ISC/ISYS
Next by Date:  [Snort-users] IP check, Simone Nanni
Previous by Thread:  RE: [Snort-users] How to get barnyard to read both log and alert, Basselgia, Barry A Mr (NAF Atsugi)
Next by Thread:  RE: [Snort-users] exporting snort logs, Basselgia, Barry A Mr (NAF Atsugi)
Indexes:  [Date] [Thread] [Top] [All Lists]