Snort mailing list archives
Snort drops packets with SQL logging.
From: Thomas Novin <thnov () thalamus se>
Date: Mon, 12 Nov 2001 17:36:35 +0100
Hi all. We run snort with two machines, one with the snort program and one with mysql.Machine 1 (Snort) logs everything to Machine 2 (MySQL) via 100Mbit Ethernet. But it drops over 50% of the packages. What could cause this? Either machine or network is near full load. If I remove the output log database line and just log to a file instead no packets are dropped.
This is my snort.conf on Machine 1: # Packets that we don't want to log (MySQL) pass tcp 10.0.0.248/32 any -> x.x.x.x/32 3306 pass tcp x.x.x.x/32 3306 -> 10.0.0.248 any # Everything else get logged log tcp any any -> any any (msg:"tcp";) log udp any any -> any any (msg:"udp";) log icmp any any -> any any (msg:"icmp";) # Send logs to mysql database snort_eag on harrieroutput database: log, mysql, dbname=snort_eag user=eagle host=x.x.x.x password=password encoding=hex detail=fast
Any idea why snort/MySQL can't keep up with this configuration? The network load is approx 20 Mbit (peaks 30).
Regards,Thomas.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort drops packets with SQL logging. Thomas Novin (Nov 12)
- Re: Snort drops packets with SQL logging. Brian (Nov 12)
- Re: Snort drops packets with SQL logging. Chris Green (Nov 12)