[Snort-users] Snort drops packets with SQL logging.

Chris Green cmg at ...671...
Mon Nov 12 13:12:01 EST 2001


Thomas Novin <thnov at ...4060...> writes:

> Hi all.
>
> We run snort with two machines, one with the snort program and one with mysql.
>
> Machine 1 (Snort) logs everything to Machine 2 (MySQL) via 100Mbit
> Ethernet. But it drops over 50% of the packages. What could cause
> this? Either machine or network is near full load. If I remove the
> output log database line and just log to a file instead no packets are
> dropped.
>
> Any idea why snort/MySQL can't keep up with this configuration? The
> network load is approx 20 Mbit (peaks 30).

This is a pretty common question and it is a good bit of why barnyard
was written.

Theres a ton to do on every database insert and snort is waiting on
MySQL to finish its thing before it can do its thing of looking at the
packets.

It's much better to log in unified or binary format and perform SQL
insertions and analysis as an independant activity from packet capturing.
-- 
Chris Green <cmg at ...671...>
A watched process never cores.




More information about the Snort-users mailing list