[Snort-users] Snort and MySQL
karl at ...501...
Mon Jan 22 15:30:52 EST 2001
What if I configure snort to use ORACLE DBS and patch ACID so that it can
use ORACLE. Is that problem that solved. I face the same problem and it
getting worse. This because my database is getting larger and larger.
Van: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]Namens roman at ...438...
Verzonden: maandag 22 januari 2001 15:55
Aan: Kevin.Brown at ...1022...
CC: snort-users at lists.sourceforge.net
Onderwerp: Re: [Snort-users] Snort and MySQL
This is at least partially related to MySQL internals. MySQL currently
only supports table level locking. When ACID makes a query,
MySQL locks the table for reading. Thus, when Snort attempts
to write, it will not be able to get a lock (on the entire table)
and remains blocked waiting for the ACID read to finish. Hence,
the Snort utilization percent will drop.
This phenomenon will be resolved when Snort is multi-threaded.
I would envision at a minimum that the detection core and the
the output facilities/plug-ins would be seperate threads.
> Well I got my problems fixe (thanks all) and now have snort logging to a
> remote db. Encountered an interesting thing. I have consoles with me
> into both boxes and I'm running top. Then I use acid to view data in the
> and notice that while mysql is busy handling the query, snort drops from
> to 17% cpu utilization, then goes back to 98% after mysql finishes the
> query. In the same time mysqld goes from 4% utilization to 98%
> while handling the query, then falls back to less than 4%. Given a few
> I'll go through the ruleset and retailor for our network based on what it
> see and what we don't really care about to try to reduce the load on the
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
This message was sent using Voicenet WebMail.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
More information about the Snort-users