[Snort-users] Re: Snort and high performance networks
snort at ...10572...
Mon May 24 07:02:06 EDT 2004
I have the database on just a dual p3/700mhz box with 4GB of ram and
ACID does just fine no matter how many alerts it has. Loading the
main page takes a bit but that has more to do with the stats it
Last month I had over 12 million events in the db and it had no
If you search mysql.com, you can find several performance tips that
will help, especially if you have plenty of memory to throw at the
It is also a good idea to prune out the old alerts then run an
optimize on the tables. If you are running barnyard, then this won't
be a problem (since optimize will lock the tables).
>Date: Mon, 24 May 2004 15:33:35 +1200
>From: Jason Haar <Jason.Haar at ...294...>
>Organization: Trimble Navigation Ltd.
>To: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Snort and high performance networks
>Rafael Ortega wrote:
>>I'm currently snorting close to 800Mbps with no problem. What to do
>>the amount of info, is another story. I tried ACID, but after 24
>>700,000 events registered, the data base becomes too slow, even after
>>indexing certain reference fields.
>>The sniffer is an Intel Xeon 2.4GHz with 1GB RAM running only snort
>How about OS? Also, anything special about the PCI bus and Ethernet
>choices? (e.g. I don't think standard 33Mhz PCI can do 800Mbs)
>You are correct about ACID. I love it - but it really grinds to a
>around 100K records
>Information Security Manager, Trimble Navigation Ltd.
>Phone: +64 3 9635 377 Fax: +64 3 9635 417
>PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users