[Snort-users] Snort, MySQL, Acid

Whaley, Mike mwhaley at ...5464...
Mon May 6 13:18:03 EDT 2002

Hi Tim,

Just curious, what is your hardware configuration?  I've got snort tuned
down to about 10,000 events a day and run it on a Celeron 400 Mhz with 512
MB of PC100 ram.  This is about all this box can handle and it runs at about
60% utilization all the time, sometimes pegged out for brief moments.  Well,
take it easy.

Mike Whaley

-----Original Message-----
From: Tim Sailer [mailto:sailer at ...2968...]
Sent: Monday, May 06, 2002 1:37 PM
To: Anton A. Chuvakin
Cc: Redman, Ken; Snort Users List (E-mail)
Subject: Re: [Snort-users] Snort, MySQL, Acid

On Mon, May 06, 2002 at 03:32:54PM -0400, Anton A. Chuvakin wrote:
> Hello,
> >I think the easiest way, since you have ACID, is to query on your IP
> >address in ACID, and then tell it to delete the whole query. It will
> >clean up nicely.
> Not it if you have 100,000 records or more.

Really? I guess it all depends on your hardware and configuration.
We get 100k records or more on a bad day. 1-3 million records
is what the max we can handle in the database at one time. It's no speed
demon by any stretch, but it still runs and doesn't crash.


> Sorry for a one-liner, but archiving/deleting with ACID for large
> databases is very unstable. I have not found a way to recover my
> ACID/snort database after it was flooded by thousands of records. That
> leaves in pretty much unusable shape.
> Best,
> -- 
>      Anton A. Chuvakin, Ph.D.
>      http://www.chuvakin.org
>    http://www.info-secure.org

Tim Sailer <sailer at ...2968...> 
Brookhaven National Laboratory  (631) 344-3001


Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth at ...382...
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list