[Snort-devel] Mysql output plugin
attwell at ...277...
Fri Feb 16 10:57:22 EST 2001
Taking a brief glance at the mysql processlist while running an ACID query
and having input to the database from 2 sensors under fairly heavy load.
I noticed that the INSERT's from the snort boxes get locked by the SELECT from
the acid console. This raised a rather nasty question.
What does snort do during an output alert cycle when the output is a database
and the query takes say 30 seconds to complete ?
I suspect that it may be the case that snort "stops" and waits for the output to complete
unless there is an internal alert queueing mechanism that can handle this problem.
I havent looked far enough into the source to determine if that is the case.
I think I'm going to modify the spo_database plugin to use INSERT DELAYED when outputting
to a MySQL database. This allows the query to return an instant OK to the client. It also
allows the database to "batch" the INSERT queries for a specific table.
I'm not sure of the method the Postgres or ORACLE use to perform this method of insertion.
5520 Research Park Drive
Madison, WI 53711
attwell at ...276...
Berbee... putting the E in business.
More information about the Snort-devel