[Snort-users] Possible SQL workaround?

Bill Marquette wlmarque at ...8...
Wed Jan 24 11:39:00 EST 2001

Can the new versions of MySQL do 2-way replication?  Also, keep in mind that any
updates made to the database(s) will be replicated to _all_ other databases.  I
suspect that the unique numbering methodology snort uses to create event id's
won't work well in the multi snort->multi database situation, but still might be
ok for multi-snort->single db w/ a replication to an ACID db.  The only real
issue I see is if you can't get two way replication working then ACID can only
really view alerts and not do any type of management on them.


From: Kevin.Brown at ...1022... on 01/24/2001 10:22 AM

To:   snort-users at lists.sourceforge.net
Subject:  [Snort-users] Possible SQL workaround?

A thought occured to me on trying to deal with the problem of snort
pausing when ACID accessed the db.  I don't know if it will work, but could
the snort boxen each log to their own local sql server and then through
replication of the individual databases into one single db that could then be
looked at by ACID?  Or have all the boxen log to one db and then replicate
that db and access it through ACID.  That way snort doesn't lose any time or
information waiting for sql to unlock the db from read-only.

My setup
snort 1.7 listening near edge router on standalone system.

MySQL 3.22.32 on remote server
ACID 0.95

Any thoughts on this?

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:

More information about the Snort-users mailing list