[Snort-devel] Mysql output plugin

Simon Attwell attwell at ...277...
Fri Feb 16 10:57:22 EST 2001


Taking a brief glance at the mysql processlist while running an ACID query
and having input to the database from 2 sensors under fairly heavy load.

I noticed that the INSERT's from the snort boxes get locked by the SELECT from
the acid console. This raised a rather nasty question.

What does snort do during an output alert cycle when the output is a database
and the query takes say 30 seconds to complete ?

I suspect that it may be the case that snort "stops" and waits for the output to complete
unless there is an internal alert queueing mechanism that can handle this problem.
I havent looked far enough into the source to determine if that is the case.

I think I'm going to modify the spo_database plugin to use INSERT DELAYED when outputting
to a MySQL database. This allows the query to return an instant OK to the client. It also
allows the database to "batch" the INSERT queries for a specific table.

I'm not sure of the method the Postgres or ORACLE use to perform this method of insertion.

	- Simon
--
Simon Attwell
Systems Engineer
Berbee
5520 Research Park Drive
Madison, WI 53711
attwell at ...276...

Berbee... putting the E in business.





More information about the Snort-devel mailing list