[Snort-users] Snort and MySQL

Karl Lovink karl at ...501...
Mon Jan 22 15:30:52 EST 2001


What if I configure snort to use ORACLE DBS and patch ACID so that it can
use ORACLE. Is that problem that solved. I face the same problem and it
getting worse. This because my database is getting larger and larger.


Kind regards,
Karl


-----Oorspronkelijk bericht-----
Van: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]Namens roman at ...438...
Verzonden: maandag 22 januari 2001 15:55
Aan: Kevin.Brown at ...1022...
CC: snort-users at lists.sourceforge.net
Onderwerp: Re: [Snort-users] Snort and MySQL


This is at least partially related to MySQL internals.  MySQL currently
only supports table level locking.  When ACID makes a query,
MySQL locks the table for reading.  Thus, when Snort attempts
to write, it will not be able to get a lock (on the entire table)
and remains blocked waiting for the ACID read to finish.  Hence,
the Snort utilization percent will drop.

This phenomenon will be resolved when Snort is multi-threaded.
I would envision at a minimum that the detection core and the
the output facilities/plug-ins would be seperate threads.

Roman

> Well I got my problems fixe (thanks all) and now have snort logging to a
> remote db.  Encountered an interesting thing.  I have consoles with me
logged
> into both boxes and I'm running top.  Then I use acid to view data in the
db
> and notice that while mysql is busy handling the query, snort drops from
98%
> to 17% cpu utilization, then goes back to 98% after mysql finishes the
> query.  In the same time mysqld goes from 4% utilization to 98%
utilization
> while handling the query, then falls back to less than 4%.  Given a few
weeks
> I'll go through the ruleset and retailor for our network based on what it
did
> see and what we don't really care about to try to reduce the load on the
> sensor.
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
>



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/



_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users





More information about the Snort-users mailing list