[Snort-devel] spo_database.c patch

Mike Baptiste baptiste at ...280...
Fri Feb 16 15:06:16 EST 2001

Neat idea - definitely will help a heavily loaded system.  I wonder if 
this would be better than say a shadow setup in 3.23 since the INSERTS 
would be faster to snort (maybe... read below)

Note that to avoid a DELAY thread from using all the system memory 
during a long table lock (where the pending INSERTS are stored), there 
is an attribute dictating how many rows to store before the INSERT DELAY 
is locked.

The attribute is delayed_queue_size and on my RH box, it defaults to 
1000 which is a fair amount. However if you have alerts flooding in and 
your ACID queries take a while, you might want to adjust this value if 
your system can handle it since it will still hang up snort if you fill 
the default queue.

This should work from mySQL 3.22.15 onward.

One thing I noticed when researching INSERT DELAY is the docs say:

" Note that INSERT DELAYED is slower than a normal INSERT if the table 
is not in use. There is also the additional overhead for the server to 
handle a separate thread for each table on which you use INSERT DELAYED. 
This means that you should only use INSERT DELAYED when you are really 
sure you need it!"

This is a tad confusing. I can't see why you would care if you get 'OK' 
returned instantly no matter what. Sure it might load the SQL server 
more, but beyond that, it should still always be faster for Snort...

On the other hand, does this mean INSERT DELAY won't return 'OK' 
instantly to Snort until the INSERT is actually complete if the table is 
unlocked? (ie does INSERT DELAY just do a slower INSERT if the table 
isn't in use?) I can't imagine this is the way it is desgined, but it 
doesn't seem clear since they said its slower "if the table isn't in 
use".   If so, this would probably make things worse unless you were 
doing ACID queries.

I'm not a mySQL expert so I figured I'd just mention this - anyone else 
know the nitty gritty?


Simon Attwell wrote:

> There I go thinking again...
> If one has MYSQL _AND_ another DB enabled...
> then my patch breaks things... because you end up with INSERT (blah blah INSERT ( blah
> which of course doesnt work.
> I'll fix that :)
> 	 -Simon
> --
> Simon Attwell
> Systems Engineer
> Berbee
> 5520 Research Park Drive
> Madison, WI 53711
> attwell at ...276...
> Berbee... putting the E in business.
> On Fri, Feb 16, 2001 at 12:06:22PM -0600, Simon Attwell wrote:
>> Following is a diff which modifies the spo_database plugin to do delayed inserts for a
>> mysql database, there are also stubs for other databases should the syntax vary.
>> This has been compiled and tested with current CVS versions of snort and acid and 
>> MySQL version 3.23.33.
>> 	- Simon
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

Mike Baptiste           mike at ...281...
Mebane, NC       http://www.baptistefamily.net/

More information about the Snort-devel mailing list