[Snort-users] postgres database module oddities...
jed at ...153...
Thu Aug 24 13:27:59 EDT 2000
> Can anyone comment on the relative benefits under snort of the
> benefits of mysql vs postgresql?
> I've heard that postgresql wins out for multiple reasons, but
> I'd like to do a survey.
I don't have any performance numbers at this point, but there are a
few general points worth making.
- Postgresql requires at a minimum twice as much storage space
because it does not support unsigned ints (and almost everything
logged in snort is most efficiently represented as an unsigned
int). Postgresql also does not have the equivalent of a TINYINT
which is a one byte integer. If you have a lot of alerts,
postgresql will quickly consume hard drive space.
- MySQL has much better performance with inserting data. It can
keep up with logging all tcp,udp,icmp traffic on a small network.
Postgresql seems to take an order of magnitude longer for INSERTS.
- I suspect that postgresql is less likely to loose data under extreme
conditions such bursts of numerous concurrent queries but I do not
have the numbers to prove that right now.
I personally use MySQL, and have been successful in logging a high
rate of alerts (multiple per second) from multiple snort sensors to a
single database. I do intend to do some benchmarks to provide some
solid numbers and proof to the above statements. I am interested to
hear what others have experienced.
More information about the Snort-users