[Snort-users] Packet Payload not appearing for internal traffic.
chris at ...2949...
Fri Oct 5 20:26:02 EDT 2001
On Friday, October 5, 2001, at 09:35 , Susan Kay Coulter wrote:
> You didn't mention which database you're using, or the snaplen ... but,
> I found
> that there is a very real limitation with mysql - depending on what OS
> and how
> it's configured. mysql tables have an upper limit of whatever the max
> size is on your box. The 'data' table (which contains the payload)
http://www.mysql.com/doc/T/a/Table_size.html has a good discussion of
the limits. Of interest is the RAID directive when creating tables - you
can have MySQL use multiple files for a table, each of which can be up
to the OS limit (4GB on most 32-bit systems). Perhaps even better for
snort purposes are MERGE tables, which allow you to use multiple tables
with identical configuration as a single table. This could be
particularly nice if you want to rotate your logs - you could archive
data monthly, have most of your code query the current table for
immediate reporting and still be able to use all of your historical data
for historical reporting.
More information about the Snort-users