[Snort-users] Acid database lost events, help!!!

Tinsley Paul Paul.Tinsley at ...9244...
Wed May 21 09:49:12 EDT 2003


Looking at the size of the database isn't a good telling sign of how much
data you have in a MySQL database.  When records are deleted the space is
not reclaimed unless you specifically reclaim it.  From MySQL docs: "Deleted
records are maintained in a linked list and subsequent INSERT operations
reuse old record positions."

See http://www.mysql.com/doc/en/OPTIMIZE_TABLE.html for more information on
the subject.

One thing that you have to be careful with in reference to ACID is the
timeout you have set for PHP.  If it's in the middle of an operation and PHP
decides the task has been running too long, it will give your process the
axe.  If the code isn't written with that in mind it could easily corrupt
your data :( 

-----Original Message-----
From: Brei, Matt [mailto:mbrei at ...8727...]
Sent: Wednesday, May 21, 2003 9:46 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Acid database lost events, help!!!


I have been running snort for about 4 months.  The Snort db had about 12000
alerts and the archive db had about 19000.  I moved all of the alerts from
April to the archive db, ACID said it successfully moved 8000 alerts, which
SHOULD leave me with about 4000 in the main db and 27000 in the archive db.
The archive db only has about 20000 and the main db is now empty.  The
strange thing is, in the mysql db directory, none of the main Snort db file
sizes got any smaller and the archive files grew in size.  What happened to
the alerts?

Snort 1.9.1 on Redhat 7.2 alerts to
ACID v0.9.6b23, MySQL 3.23.56, Apache 2.0.45 on RedHat 8

Matt Brei




More information about the Snort-users mailing list