Snort mailing list archives
Re: Packet Payload not appearing for internal traffic.
From: Chris Adams <chris () improbable org>
Date: Fri, 5 Oct 2001 20:25:07 -0700
On Friday, October 5, 2001, at 09:35 , Susan Kay Coulter wrote:
You didn't mention which database you're using, or the snaplen ... but, I found that there is a very real limitation with mysql - depending on what OS and how it's configured. mysql tables have an upper limit of whatever the max file size is on your box. The 'data' table (which contains the payload) usually
http://www.mysql.com/doc/T/a/Table_size.html has a good discussion of the limits. Of interest is the RAID directive when creating tables - you can have MySQL use multiple files for a table, each of which can be up to the OS limit (4GB on most 32-bit systems). Perhaps even better for snort purposes are MERGE tables, which allow you to use multiple tables with identical configuration as a single table. This could be particularly nice if you want to rotate your logs - you could archive data monthly, have most of your code query the current table for immediate reporting and still be able to use all of your historical data for historical reporting.
Chris _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Packet Payload not appearing for internal traffic. Susan Kay Coulter (Oct 05)
- Re: Packet Payload not appearing for internal traffic. Chris Adams (Oct 05)