[Snort-users] Snort and MySQL

roman at ...438... roman at ...438...
Mon Jan 22 14:55:12 EST 2001

This is at least partially related to MySQL internals.  MySQL currently
only supports table level locking.  When ACID makes a query,
MySQL locks the table for reading.  Thus, when Snort attempts
to write, it will not be able to get a lock (on the entire table)
and remains blocked waiting for the ACID read to finish.  Hence,
the Snort utilization percent will drop.

This phenomenon will be resolved when Snort is multi-threaded.
I would envision at a minimum that the detection core and the
the output facilities/plug-ins would be seperate threads.


> Well I got my problems fixe (thanks all) and now have snort logging to a
> remote db.  Encountered an interesting thing.  I have consoles with me logged
> into both boxes and I'm running top.  Then I use acid to view data in the db
> and notice that while mysql is busy handling the query, snort drops from 98%
> to 17% cpu utilization, then goes back to 98% after mysql finishes the
> query.  In the same time mysqld goes from 4% utilization to 98% utilization
> while handling the query, then falls back to less than 4%.  Given a few weeks
> I'll go through the ruleset and retailor for our network based on what it did
> see and what we don't really care about to try to reduce the load on the
> sensor.
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

This message was sent using Voicenet WebMail.

More information about the Snort-users mailing list