[Snort-users] mysql.php3 - performance issues.

Chris Green cmg at ...671...
Thu Oct 19 22:45:35 EDT 2000


In helping think about these problems with other processing scripts,
the real idea is to store a lot of the information pre-processed and
then incrementally add the new stuff.  Unfortunately, this jump is
often not a trivial hop.

Maybe a cron job that performs tally's into the DB hourly.  Without
doing this, its hard to even get to daily resolution in a reasonable
amount of time.  A half million+ events isn't going to be something
you want to wait for each time.  I doubt switching DB backends would
help you out - you've got non trivial amounts of processing to do.

Short term solution is look at hourly/daily
Long term is redesign the processing methodology or wait till someone
does else does it first...

Cheers,
Chris

Jason Boyer <jason at ...418...> writes:

> Currently logging all alerts to MYSQL as well as to a log file , problem
> is that using the mysql.php3 script that came with snort it takes almost
> a full hour to process and load. What is the better approach to making
> this script load faster ? Only two options I saw were either to switch
> databases or limit the amount of logging I am doing to the mysql
> database. Currently the database has about 550,000 events in it which is
> one month's activity. (Snort box is p3 550 / 128MB Ram) Any other ideas
> / suggestions would be helpful.
> 
> Thanks,
> 
> Jason

-- 
Chris Green <cmg at ...671...>
A good pun is its own reword.



More information about the Snort-users mailing list