[Snort-users] mysql database "gone away"

Dirk Geschke Dirk_Geschke at ...1344...
Mon Jul 16 10:23:51 EDT 2007


Hi David,

[...]
Obviously it would be nice if some process could be configured to retry
this connection and get the data back to the server.  What do other people 
use to get over this problem ?  I mean, if you have a connectivity problem 
into your data centre and you lose connectivty to all your probes, do people
really manually log into each remote probe and restart the service ?  It 
just seems a bit . . . manual.  I accept that it is a limitation of the mysql
client in use, but in practical terms what do people do to ensure the database
link doesn't stay down for hours(days/weeks) after a temporary glitch like this ?

the problem is already solved by using other mechanisms to feed the database...

You can for example use barnyard or FLoP for this purpose, both will be able
to react on a missing database link in the right way: They try to re-connect.

The problem with the database ouput-plugin of snort is obviously: Do you 
really want to block snort's dectection processing until a connection to
the database was re-enabled?

Even with a working database: Snort has to wait until all data is feeded
into the database before it can process the next packet. Sounds a little
bit like a bottleneck, or?

Best regards

Dirk





More information about the Snort-users mailing list