Snort mailing list archives
Idea my snort database..!!
From: kamesh_rajaram () sify com
Date: Fri, 05 Apr 2002 20:49:13 +0500 (IST)
Hi Snort/Demarc Users..!! There is trouble running snort. If load becomes heavy...snort stops logging. There are quiet a few processes(usually inserts) in mysql which locks the important tables of the snort database. This can be seen by running: mysql> show processlist; The % CPU utilisation also becomes close to 99%. The traffic in our case is somewhere near 200,000 packets a day. This causes the mysql server to slow down after 2 days with inbetween halts..!! Then we shutdown & restart snort & mysql. Ultimately, we end up deleting data to make it work. But we want the details for atleast 3 days. Thus, the very purpose of snort is defeated. To solve this problem we decided to write a script which takes the minimal required information (like ip addr, event nos.,..etc) from the snort database and logs it into a new database in the same server. By doing this we thought we can log the information and delete the data in snort database. We had put that script in the crontab to run every hour. Even this did not work properly. There is an other idea. What if we create the same database scheme of snort in different names like snort1, snort2, snort3. Use one database for logging every day. This we can do it as a cycle for 3 days. The fourth day will have snort1 for logging again. Do u think this scheme will work...?? Does it make sense to do it this way...?? Our ideology is to analyse the packets that come in. Our basic problem is mysql gets hung frequently. We want snort to run smoothly. Is there any way in which we can fine tune mysql database so that this kind of a problem does not happen..?? Hope i am clear in explaining the problem and the scheme.....I expect your valuable comments & advise in this regard..... Bye, Kamesh. ------------------------------------------------- This mail helped a tree grow. Know more at http://green.sify.com Take the shortest route to success! Click here to know how http://education.sify.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Idea my snort database..!! kamesh_rajaram (Apr 05)
- <Possible follow-ups>
- RE: Idea my snort database..!! Steve Halligan (Apr 05)