[Snort-users] ACID/SQL performance issues

Matthew Collins Matthew.Collins at ...1681...
Thu Oct 4 05:08:04 EDT 2001

I've had a similar problem as well. 90K is a lot to move to the archive. I find on my machine (p200) it takes about 10 minutes to archive 2000 alerts. Deletetion is much quicker.
Archive is slow because for each alert it closes the current connection, opens a new one to the archive database, inserts the data, closes the connection again and reopens the main DB connection. Very slow. Is your archive DB on the same machine? I imagine archiving over the network would take a lot longer.
What I do if I have too many alerts to archive is to perform a search with a date range (everything <= 1 oct 2001) and then archive entire query. Do this several times, and you trim down your DB.
I do this every morning now, to keep the database size down. I only keep arround interesting alerts, but stuff is still in the archive if I need it.

>>> Jim Howard <Jim.Howard at ...2728...> 03/10/01 19:46:22 >>>
Hi folks, just wondered if there was anyone addressing the performance of
the SQL calls from ACID.  I have a 200,000 entry snort database in MySQL.
Of this, some 90k are from nimda infected machines (not my own thankyou.).
I changed the timeout value from the default 30 seconds to 3600 (yes, 1
hour), and it is still timing out when trying to manipulate this sql call.
I am trying to take these records and move them to the archive database.  I
also tried just plain deleting them.  Both fail.  I optomized all the tables
before trying, as well.  I haven't added any of the optional indexes, as I
am fairly new to MySQL, and haven't had time to look up how to add them..
would this help?

The machine is a P-II 350mhz with 256 meg RAM, running snort 1.8.1, MySQL,
and ACID b13.  I saw one other post where the person wrote some of their own
SQL, just to make sure it wasn't a problem in MySQL.  I really like the ACID
interface, for presentation, and ease of use...  Is there anything we can do
to increase performance?  I would be willing to donate some testing time if
it would help.  I don't know a lot of SQL though.

ACID .9.6b13
MySQL Ver 11.15 Distrib 3.23.41
snort 1.8.1
adodb 1.12


Snort-users mailing list
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

This message and any attachments are confidential to the ordinary user of
the e-mail address to which it was addressed and may also be privileged.
If you are not the addressee you may not copy, forward, disclose or use 
any part of the message or its attachments and if you have received this
message in error, please notify the sender immediately by return e-mail and
delete it from your system.
Internet communications cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, arrive late or contain 
viruses. The sender therefore does not accept liability for any errors or
omissions in the context of this message which arise as a result of Internet
Northern Registrars Limited, Northern House, Woodsome Park, Fenay 
Bridge, Huddersfield. HD8 0LA.
Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
For more information visit our web site: http://www.northernregistrars.co.uk

More information about the Snort-users mailing list