[Snort-users] Packet Payload not appearing for internal traffic.

Chris Adams chris at ...2949...
Fri Oct 5 20:26:02 EDT 2001


On Friday, October 5, 2001, at 09:35 , Susan Kay Coulter wrote:
> You didn't mention which database you're using, or the snaplen ... but, 
> I found
> that there is a very real limitation with mysql - depending on what OS 
> and how
> it's configured.  mysql tables have an upper limit of whatever the max 
> file
> size is on your box.  The 'data' table (which contains the payload) 
> usually

http://www.mysql.com/doc/T/a/Table_size.html has a good discussion of 
the limits. Of interest is the RAID directive when creating tables - you 
can have MySQL use multiple files for a table, each of which can be up 
to the OS limit (4GB on most 32-bit systems). Perhaps even better for 
snort purposes are MERGE tables, which allow you to use multiple tables 
with identical configuration as a single table. This could be 
particularly nice if you want to rotate your logs - you could archive 
data monthly, have most of your code query the current table for 
immediate reporting and still be able to use all of your historical data 
for historical reporting.

Chris





More information about the Snort-users mailing list