[Snort-users] Snort w/ Mysql's 'Insert Delayed' and Barnyard

Jed Pickel jed at ...153...
Tue Jul 9 13:37:05 EDT 2002


On Tue, Jul 09, 2002 at 03:22:56PM -0400, Tom Sevy wrote:
> I have a snort sensor server sniffing multiple lan segments.  Looks like
> barnyard might be a little bit of trouble to install for this scenario
> (muliple barnyard config files for multiple sensors?).
> 
> Does anyone know if just modifiying spp_database.c and changing the 'INSERT
> INTO' sql commands to 'INSERT DELAYED INTO' is a bad idea?

The quick way to address this is to change the MYSQL_INSERT define in
spo_database.h.

Currently it looks like this... So just switch the comment.
/*#define MYSQL_INSERT "INSERT DELAYED " */
#define MYSQL_INSERT "INSERT "

I'm not sure the reason why the default was changed from INSERT DELAYED
to the current of INSERT. Checking the CVS logs the reason seems to be
the following... 

- temporarily removed support for the DELAYED clause in MySQL inserts
  (it was interferring with some of the code with the reference tags.
   Further investigation will be needed)

I use INSERT DELAYED on the snort instances I maintain and it works fine
(and fast) -- I have never had any packet loss (although I always run my
mysql server on the same host as snort). Also, I don't make use of the
reference tag in any of my rules; thus, I'm not familiar with the
problem mentioned in CVS.

Regards,

* Jed




More information about the Snort-users mailing list