[Snort-users] DataBase Load Problem.

Ryan Russell ryan at ...35...
Thu Nov 30 12:24:46 EST 2000


On Thu, 30 Nov 2000, F.M. Taylor wrote:

> 
> greetings.  I am having what I hope is not too unique of a problem.  With
> the base set of rules I am seeing about 1000 alerts a minute.  I am
> writing these to a mysql database on a Sun E3500.  I have apache, PHP, and
> ACID, running on the same box, and nothing else (ya, way overkill, but it
> was not in production yet).  
> 
> The problem is that if I let the database fill for more than a couple of
> hours (heck, a couple of minutes) the queries start to become *painfully*
> slow.  After a megalert it is almost impossible to query the database thru

MySQL has to do a table lock on each write at present.  For a table with a
lot of writing this can get somewhat slow, if reads are also waiting to
take place.  The MySQL folks are working on row-level locking, but I don't
know how long it will take.  PostgresSQL might work better under those
circumstances, but I don't know the Snort support status.  Oracle should
certainly be able to keep up, again if it's supported.

						Ryan




More information about the Snort-users mailing list