[Snort-users] Speeding up mysql

quentyn at ...3871... quentyn at ...3871...
Fri Oct 19 09:43:10 EDT 2001


Hi all,

this my be of use to everyone logging snort to a mysql db (don't know
about others)

we were having problem with the mysql backend to snort with respect to
speed. Using snort report took over 3mins to generate (using Snort
Report Version 1.06). My colleague managed to grab one of our developers
and came up with the following changes to the mysql db structure (if
this kills your DB we take *NO* responsibility) ....

alter table iphdr add index(cid);
alter table event add index(cid);
alter table tcphdr add index(cid);
alter table event add index(signature);
alter table signature add index(sig_id);

now the report comes back in seconds (with 34044 records in event)
whereas it use to take 3-4 mins (on a single 800 with 2Gb RAM)

He is now looking at optimizing the PHP to see if he can speed up that.

YMMV - but I hope it helps. 


Q



-- 
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
Quidquid latine dictum sit, altum viditur (anything said in Latin sounds
lofty)




More information about the Snort-users mailing list