Re: Snort w/ Mysql's 'Insert Delayed' and Barnyard

[Jed Pickel <jed () pickel net>]

On Tue, Jul 09, 2002 at 03:22:56PM -0400, Tom Sevy wrote:
> I have a snort sensor server sniffing multiple lan segments.  Looks like
> barnyard might be a little bit of trouble to install for this scenario
> (muliple barnyard config files for multiple sensors?).
>
> Does anyone know if just modifiying spp_database.c and changing the 'INSERT
> INTO' sql commands to 'INSERT DELAYED INTO' is a bad idea?

The quick way to address this is to change the MYSQL_INSERT define in
spo_database.h.

Currently it looks like this... So just switch the comment.
/*#define MYSQL_INSERT "INSERT DELAYED " */
#define MYSQL_INSERT "INSERT "

I'm not sure the reason why the default was changed from INSERT DELAYED
to the current of INSERT. Checking the CVS logs the reason seems to be
the following... 

- temporarily removed support for the DELAYED clause in MySQL inserts
  (it was interferring with some of the code with the reference tags.
   Further investigation will be needed)

I use INSERT DELAYED on the snort instances I maintain and it works fine
(and fast) -- I have never had any packet loss (although I always run my
mysql server on the same host as snort). Also, I don't make use of the
reference tag in any of my rules; thus, I'm not familiar with the
problem mentioned in CVS.

Regards,

* Jed


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Stuff, things, and much much more.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users