[Snort-users] a user experience w/ Snort, ACID & (Postgre|My)SQL

Saad Kadhi bsdguy at ...1472...
Wed Oct 3 00:16:02 EDT 2001

Hi there,

I am very new to Snort & practical ID though I've read like many the
books from Nortcutt & co. I have installed my first Snort sensors 4/5
weeks ago and before continuing any further, I'd like to thank Marty &
the crew for such a good system. I am writing this to share my
experience on the subject if anyone is interested. If no one gives a
heck about it, then sorry for the bandwidth noise :p

Since I am working on a project for my current employer for
small-to-wide deployments of Snort, I choosed for my first install
PostgreSQL as the DB backend on an OpenBSD platform. I am not as
knowledgeable w/ RDBMS as I am w/ OSes in general. My OpenBSD kernel is
as optimized as I can make it & I applied every trick I found about
increasing PostgreSQL performance but still, the ACID/PostgreSQL couple
is *extremely* slow. The hardware I am using is very standard. I have
been in touch w/ Chris Kuethe & Roman & others about this very subject,
read the archives ... to no avail. Looked into DNS bottlenecks, fs
performance ...etc. After a while, I switched the RDBMS to MySQL. Same
hardware, just 'mv PostgreSQL MySQL'. And the performance sky rocketed.
Literally. While it took ages to load the ACID main page w/ 5000 alerts
w/ PostgreSQL as the backend, it showed in a snap w/ MySQL. I am
stumped. The system is not *that* loaded (19%sys, 34%user at most & for
very short times) in either case. The system is not swapping (or very
little). But ACID/MySQL is much faster than ACID/PostgreSQL.

Please, I do not want to start a PostgreSQL vs. MySQL flame war. I am
just saying that in my particular case, MySQL saves the day. The only
problem I am having now is w/ persistent connections & httpd gobbling
memory but that's another story.

[put your signature here]
self-customize-sig(tm). another dumb patent...

More information about the Snort-users mailing list