[Snort-users] Snort drops packets with SQL logging.

Thomas Novin thnov at ...4060...
Mon Nov 12 08:37:02 EST 2001


Hi all.

We run snort with two machines, one with the snort program and one with mysql.

Machine 1 (Snort) logs everything to Machine 2 (MySQL) via 100Mbit 
Ethernet. But it drops over 50% of the packages. What could cause this? 
Either machine or network is near full load. If I remove the output log 
database line and just log to a file instead no packets are dropped.

This is my snort.conf on Machine 1:

# Packets that we don't want to log (MySQL)
pass tcp 10.0.0.248/32 any -> x.x.x.x/32 3306
pass tcp x.x.x.x/32 3306 -> 10.0.0.248 any

# Everything else get logged
log tcp any any -> any any (msg:"tcp";)
log udp any any -> any any (msg:"udp";)
log icmp any any -> any any (msg:"icmp";)

# Send logs to mysql database snort_eag on harrier
output database: log, mysql, dbname=snort_eag user=eagle host=x.x.x.x 
password=password encoding=hex detail=fast

Any idea why snort/MySQL can't keep up with this configuration? The network 
load is approx 20 Mbit (peaks 30).

Regards,

Thomas. 





More information about the Snort-users mailing list