[Snort-users] Snort drops packets with SQL logging.
thnov at ...4060...
Mon Nov 12 08:37:02 EST 2001
We run snort with two machines, one with the snort program and one with mysql.
Machine 1 (Snort) logs everything to Machine 2 (MySQL) via 100Mbit
Ethernet. But it drops over 50% of the packages. What could cause this?
Either machine or network is near full load. If I remove the output log
database line and just log to a file instead no packets are dropped.
This is my snort.conf on Machine 1:
# Packets that we don't want to log (MySQL)
pass tcp 10.0.0.248/32 any -> x.x.x.x/32 3306
pass tcp x.x.x.x/32 3306 -> 10.0.0.248 any
# Everything else get logged
log tcp any any -> any any (msg:"tcp";)
log udp any any -> any any (msg:"udp";)
log icmp any any -> any any (msg:"icmp";)
# Send logs to mysql database snort_eag on harrier
output database: log, mysql, dbname=snort_eag user=eagle host=x.x.x.x
password=password encoding=hex detail=fast
Any idea why snort/MySQL can't keep up with this configuration? The network
load is approx 20 Mbit (peaks 30).
More information about the Snort-users