OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [snort] Re: [anno] php snort statistics web page script
From: Jed Pickel (jedpickel.net)
Date: Tue Mar 07 2000 - 10:13:15 CST

> Well, there is a minor problem now, which is the efficiency of those SQL
> queries. Now I have about 45,000+ events in the database, and it will take
> the php about half a minute to generate the webpage... :(

This is probably because the query that returns the same source IP
with the same signature returns so much data. I only have 8,000+ events
and I started seeing performance issues with this query.

I fixed this by limiting this query to the top 20 like this:

   SELECT iphdr.sip, COUNT(iphdr.id) as total, event, signature,
          MAX(event.timestamp)
     FROM iphdr,event
    WHERE event.id = iphdr.id
 GROUP BY iphft.dip, event.signature
 ORDER BY total DESC LIMIT 20

You will probably need to limit the scan query in a similar way.

BTW... I was thinking of writing an output plugin to log to an ODBC
datasource (ie.. any database). Just curious... Would anyone other
than myself use this?

* Jed