[Snort-devel] spo_database.c patch
baptiste at ...280...
Fri Feb 16 15:06:16 EST 2001
Neat idea - definitely will help a heavily loaded system. I wonder if
this would be better than say a shadow setup in 3.23 since the INSERTS
would be faster to snort (maybe... read below)
Note that to avoid a DELAY thread from using all the system memory
during a long table lock (where the pending INSERTS are stored), there
is an attribute dictating how many rows to store before the INSERT DELAY
The attribute is delayed_queue_size and on my RH box, it defaults to
1000 which is a fair amount. However if you have alerts flooding in and
your ACID queries take a while, you might want to adjust this value if
your system can handle it since it will still hang up snort if you fill
the default queue.
This should work from mySQL 3.22.15 onward.
One thing I noticed when researching INSERT DELAY is the docs say:
" Note that INSERT DELAYED is slower than a normal INSERT if the table
is not in use. There is also the additional overhead for the server to
handle a separate thread for each table on which you use INSERT DELAYED.
This means that you should only use INSERT DELAYED when you are really
sure you need it!"
This is a tad confusing. I can't see why you would care if you get 'OK'
returned instantly no matter what. Sure it might load the SQL server
more, but beyond that, it should still always be faster for Snort...
On the other hand, does this mean INSERT DELAY won't return 'OK'
instantly to Snort until the INSERT is actually complete if the table is
unlocked? (ie does INSERT DELAY just do a slower INSERT if the table
isn't in use?) I can't imagine this is the way it is desgined, but it
doesn't seem clear since they said its slower "if the table isn't in
use". If so, this would probably make things worse unless you were
doing ACID queries.
I'm not a mySQL expert so I figured I'd just mention this - anyone else
know the nitty gritty?
Simon Attwell wrote:
> There I go thinking again...
> If one has MYSQL _AND_ another DB enabled...
> then my patch breaks things... because you end up with INSERT (blah blah INSERT ( blah
> which of course doesnt work.
> I'll fix that :)
> Simon Attwell
> Systems Engineer
> 5520 Research Park Drive
> Madison, WI 53711
> attwell at ...276...
> Berbee... putting the E in business.
> On Fri, Feb 16, 2001 at 12:06:22PM -0600, Simon Attwell wrote:
>> Following is a diff which modifies the spo_database plugin to do delayed inserts for a
>> mysql database, there are also stubs for other databases should the syntax vary.
>> This has been compiled and tested with current CVS versions of snort and acid and
>> MySQL version 3.23.33.
>> - Simon
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
Mike Baptiste mike at ...281...
Mebane, NC http://www.baptistefamily.net/
More information about the Snort-devel