[Snort-users] DataBase Load Problem.
ryan at ...35...
Thu Nov 30 12:24:46 EST 2000
On Thu, 30 Nov 2000, F.M. Taylor wrote:
> greetings. I am having what I hope is not too unique of a problem. With
> the base set of rules I am seeing about 1000 alerts a minute. I am
> writing these to a mysql database on a Sun E3500. I have apache, PHP, and
> ACID, running on the same box, and nothing else (ya, way overkill, but it
> was not in production yet).
> The problem is that if I let the database fill for more than a couple of
> hours (heck, a couple of minutes) the queries start to become *painfully*
> slow. After a megalert it is almost impossible to query the database thru
MySQL has to do a table lock on each write at present. For a table with a
lot of writing this can get somewhat slow, if reads are also waiting to
take place. The MySQL folks are working on row-level locking, but I don't
know how long it will take. PostgresSQL might work better under those
circumstances, but I don't know the Snort support status. Oracle should
certainly be able to keep up, again if it's supported.
More information about the Snort-users