[Snort-users] DataBase Load Problem.

F.M. Taylor root at ...28...
Thu Nov 30 09:50:57 EST 2000

greetings.  I am having what I hope is not too unique of a problem.  With
the base set of rules I am seeing about 1000 alerts a minute.  I am
writing these to a mysql database on a Sun E3500.  I have apache, PHP, and
ACID, running on the same box, and nothing else (ya, way overkill, but it
was not in production yet).  

The problem is that if I let the database fill for more than a couple of
hours (heck, a couple of minutes) the queries start to become *painfully*
slow.  After a megalert it is almost impossible to query the database thru
ACID.  I was thinking that an oracle database might be faster, but I don't
remember seeing a logging module for oracle, or and acid config option for
it either.

Any ideas on how to speed this up so I can run it for a week or so at this
alert rate, and still get the data out when I click??


Mike Taylor
Coordinator of Systems Administration and Network Security
Indiana State University.               Rankin Hall Rm 039
210 N 7th St.                           Terre Haute, IN.
Voice: 812-237-8843                                  47809
"You have zero privacy anyway.  Get over it."
           --Scott McNealy, Sun MicroSystems. 

More information about the Snort-users mailing list