[Snort-users] postgres database module oddities...

Jed Pickel jed at ...153...
Thu Aug 24 13:27:59 EDT 2000


> Can anyone comment on the relative benefits under snort of the
> benefits of mysql vs postgresql?
> 
> I've heard that postgresql wins out for multiple reasons, but
> I'd like to do a survey.

I don't have any performance numbers at this point, but there are a
few general points worth making.

- Postgresql requires at a minimum twice as much storage space 
  because it does not support unsigned ints (and almost everything
  logged in snort is most efficiently represented as an unsigned
  int). Postgresql also does not have the equivalent of a TINYINT
  which is a one byte integer. If you have a lot of alerts, 
  postgresql will quickly consume hard drive space.

- MySQL has much better performance with inserting data. It can
  keep up with logging all tcp,udp,icmp traffic on a small network.
  Postgresql seems to take an order of magnitude longer for INSERTS.

- I suspect that postgresql is less likely to loose data under extreme
  conditions such bursts of numerous concurrent queries but I do not 
  have the numbers to prove that right now.

I personally use MySQL, and have been successful in logging a high
rate of alerts (multiple per second) from multiple snort sensors to a
single database. I do intend to do some benchmarks to provide some
solid numbers and proof to the above statements. I am interested to
hear what others have experienced.

* Jed



More information about the Snort-users mailing list