[Snort-users] Acid and Mysql with Snort

Hutchinson, Andrew Andrew.Hutchinson at ...3639...
Fri Jul 12 06:26:06 EDT 2002

Two things for you to check from the ACID faq:


(B-10) MySQL optimizations 

1. Compact the tables
After numerous delete operations, "holes" will occur in the native files
used to store the tables decreasing the speed of the all queries. The
following shell script will examine all the MySQL tables and compact
for table in `echo show tables|mysql snort|tail +2` 
   echo optimize  table $table|mysql snort 

2. Creating indexes
Some of the required indexes are not created in initial MySQL creation
script. The following indexes can be added to significantly improve
acid_ag_alert.ag_sid + acid_ag_alert.ag_cid 

Based on what you're seeing, I would suspect that adding the indices
listed in step 2 is the key for you. MySQL is plenty fast - you just
need to have the proper indexing set up.  If you need a good MySQL
reference, pick up a copy of Paul DuBois' book, which is currently the
bible for MySQL.  O'Reilly also recently released a reference by Monty
and the MySQL AB team, but I haven't read it yet and thus cannot

Hope this helps,


Andrew Hutchinson
Vanderbilt University Medical Center
Informatics / NCS / Network Security
andrew.hutchinson at ...758...

-----Original Message-----
From: Hall, Duane [mailto:Duane.Hall at ...4888...] 
Sent: Thursday, July 11, 2002 2:52 PM
To: Snort Userslist
Subject: [Snort-users] Acid and Mysql with Snort

I have a speed issue with ACID.  To give a little background:  I was
using snort to capture packets for the Internet team to help diagnose an
issue.  The only problem is they started stress testing without telling
me.  So between 8:00am and lunch, snort and Mysql logged about 2.5
million of these packets.  I am proud to say it didn't loose a single
packet.  Now my problem.  Mysql and ACID are slow.  It takes upwards of
2 - 5 minutes to run a query.  Are there any performance tuning scripts
available for Mysql and the snort database. For now these logged packets
aren't needed, so I am removing them from the database.  My question is
what If the database ever has this issue again.  

Duane Hall
Security Administrator
Hastings Entertainment

Version: 3.12
GIT d+ s:- a- C+ UL++ P+ L++ E--- W++ N++ o K- w--- 
O- M-- V-- PS PE Y PGP t++ 5 X R- tv+ b+ DI++ D+ 
G e+ h---- r+++ y++++ 

This sf.net email is sponsored by:ThinkGeek
PC Mods, Computing goodies, cases & more http://thinkgeek.com/sf
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list