[Snort-users] Question on database for Snort

Paul Schmehl pauls at ...6838...
Tue Apr 1 15:22:52 EST 2003


On Tue, 2003-04-01 at 13:24, Kreimendahl, Chad J wrote:
> My guess is that less joins are being done to get the speed lost in
> applications like ACID.  Specifically, with a primary key that is two
> values, you lose lots of points (create tons more CPU cycles and add
> enormous IO time) doing outer joins on tables (like you'd have to for
> tcphdr, icmphdr, udphdr....).
> 
> Simply taking out those tables which join to iphdr will often save a
> great deal of time, but can be a problem when the information is
> needed... and the user has to wait a while for it to show up.
> 
Actually that's not the case, but that's also not the primary reason we
began working on our own frontend.  The inability to search for all
events by IP was the biggest driving force and the slow response time
was the second biggest reason.  We also didn't see the need to cache
events rather than simply querying the database directly.  Caching tends
to skew the view you have of what's going on, in our opinion.

-- 
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member





More information about the Snort-users mailing list