[Snort-users] DataBase Load Problem.

Austad, Jay austad at ...432...
Thu Nov 30 16:55:06 EST 2000

> know how long it will take.  PostgresSQL might work better under those
> circumstances, but I don't know the Snort support status.  

Snort supports it, I had it working.  Until I found out that acid is only
written for MySql.  I really wish Acid was written with some sort of
abstraction layer.  Now I'm stuck using MySql and my alerts database grows
"really" fast.  Thousands of portscans per day, which don't necessarily get
logged to the db, but the nessus scans and other stuff certainly do.

Does anyone have any suggestions for parsing through so much data that it
could keep 4 or 5 people busy all day?  I'm using Acid now, but I'll never
see all of the alerts that come in.  I guess primarily it's going to have to
just be used for keeping a record of strange things in case someone does
compromise a box or do something else shady.  I'm planning on increasing the
use of snort and logging it all to one central database.  If I get my way,
I'll be collecting 5-10 times more data than I am now.  

Also, does anyone have any suggestions for brand/model's of ethernet cards
to use?  I'm using an intel eepro100 now and I get console messages that say
the card has run out of resources.  Someone using a 3c905 reported the same
thing a couple of days ago.


> -----Original Message-----
> From: Ryan Russell [mailto:ryan at ...35...]
> Sent: Thursday, November 30, 2000 11:25 AM
> To: F.M. Taylor
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] DataBase Load Problem.
> On Thu, 30 Nov 2000, F.M. Taylor wrote:
> > 
> > greetings.  I am having what I hope is not too unique of a 
> problem.  With
> > the base set of rules I am seeing about 1000 alerts a minute.  I am
> > writing these to a mysql database on a Sun E3500.  I have 
> apache, PHP, and
> > ACID, running on the same box, and nothing else (ya, way 
> overkill, but it
> > was not in production yet).  
> > 
> > The problem is that if I let the database fill for more 
> than a couple of
> > hours (heck, a couple of minutes) the queries start to 
> become *painfully*
> > slow.  After a megalert it is almost impossible to query 
> the database thru
> MySQL has to do a table lock on each write at present.  For a 
> table with a
> lot of writing this can get somewhat slow, if reads are also 
> waiting to
> take place.  The MySQL folks are working on row-level 
> locking, but I don't
> know how long it will take.  PostgresSQL might work better under those
> circumstances, but I don't know the Snort support status.  
> Oracle should
> certainly be able to keep up, again if it's supported.
> 						Ryan
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

More information about the Snort-users mailing list