[Snort-users] Recommendations?

Kevin.Brown at ...1022... Kevin.Brown at ...1022...
Thu Mar 1 20:43:48 EST 2001


> Also, I'm building some scripts here similar to Snorticus that break
> Snort up into one process to sniff and one process to decode / log,
> ideally on separate boxen. This breaks things up a bit behind realtime,
> say five or ten minutes or so, but I'm wondering if part of the slowdown
> you're experience is from Snort writing to the DB at the same time
> you're running queries(?).

The box is a multi cpu setup (now quad, was dual before) and snort running
causes no slow down as it seems that mysql sets table level locking so it
won't read past the point where data was when the query started.  Snort
running or not makes no difference on the access time to the data as far as I
can tell.  The biggest slowdown is most definitely the searching of the
signature which is a text field, even with a key of the first 10 chars.

Starting tomorrow I will be shifting gears and moving the database from mysql
to postgres to see what improvements can be gotten.  I'm guessing this means I
need to upgrade ACID from .96b1 to .96b6 or something and get the rest of the
frontend configured (ACID needs another program installed due to database
abstraction to work now right?)





More information about the Snort-users mailing list