[Snort-users] Snort w/ Mysql's 'Insert Delayed' and Barnyard
jed at ...153...
Tue Jul 9 13:37:05 EDT 2002
On Tue, Jul 09, 2002 at 03:22:56PM -0400, Tom Sevy wrote:
> I have a snort sensor server sniffing multiple lan segments. Looks like
> barnyard might be a little bit of trouble to install for this scenario
> (muliple barnyard config files for multiple sensors?).
> Does anyone know if just modifiying spp_database.c and changing the 'INSERT
> INTO' sql commands to 'INSERT DELAYED INTO' is a bad idea?
The quick way to address this is to change the MYSQL_INSERT define in
Currently it looks like this... So just switch the comment.
/*#define MYSQL_INSERT "INSERT DELAYED " */
#define MYSQL_INSERT "INSERT "
I'm not sure the reason why the default was changed from INSERT DELAYED
to the current of INSERT. Checking the CVS logs the reason seems to be
- temporarily removed support for the DELAYED clause in MySQL inserts
(it was interferring with some of the code with the reference tags.
Further investigation will be needed)
I use INSERT DELAYED on the snort instances I maintain and it works fine
(and fast) -- I have never had any packet loss (although I always run my
mysql server on the same host as snort). Also, I don't make use of the
reference tag in any of my rules; thus, I'm not familiar with the
problem mentioned in CVS.
More information about the Snort-users