[Snort-users] Mysql errors [plus possible fix?]

Jason Haar Jason.Haar at ...294...
Sun Nov 5 22:25:28 EST 2000


On Sun, Nov 05, 2000 at 09:33:14PM -0500, Jed Pickel wrote:
> Interesting. Can you reproduce this error? Has anyone else ever seen
> this one? The only cause I can think of is a fatal error (perhaps

Well it's happening right now :-)

My snort and mysqld daemons aren't restarting/crashing or the like, and what
I'm seeing is the same alert happening several times in one second.

> One of the early versions of this plugin worked like that. The problem
> you run into is concurrency when you have multiple sensors logging to
> the database. You can fix this with locking but taking that route
> turned out to be fairly expensive comparative to the current model.

I would have thought LAST_INSERT_ID() would have taken care of that - those
counters are all thread-based so each thread should be independent of the
others, right?


As in:


Snort1         Snort2
  |_______________|
      |     |    
      |     |    
      |     |    
      |     |    
      ------
       MySQL
       
       
Snort1 and Snort2 simultaneously insert new event via:

INSERT into event (1,,'xxx','2000-11-06 12:55:23');
INSERT into event (2,,'xxx','2000-11-06 12:55:23');

Snort1 and Snort2 then both do LAST_INSERT_ID() and get returned different
cid's which they then use for the rest of the transaction. Wouldn't that
work? As it is, with different sensors there shouldn't be any locking issues
anyway?

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417



More information about the Snort-users mailing list