Snort mailing list archives
RE: Question about best hardware
From: "Hutchinson, Andrew" <andrew.hutchinson () Vanderbilt Edu>
Date: Mon, 8 Mar 2004 16:20:34 -0600
snortdb=# select count(*) from event; count -------- 514109 (1 row) In my "catch-all" database (I keep a catch-all db for forensic reasons, so I can go back and look at every little alert if necessary, and a "day-to-day" db, for common exploits), I currently have about half a million records, and generally archive when I reach around 4 million alerts. Performance is not terrible (it takes 30 seconds or so to find events of interest when the db approaches 4 millions recs), but I'm using Postgresql and not using ACID (I wanted some different capabilities, multiple user access levels, etc. so I made muy own interface). MySQL is generally faster than Postgresql though, and should be able to handle WAY more than 100K records w/o any problem. As I mentioned, I am currently using Postgresql. However, MySQL4 and MaxDB have sparked anew an interest in MySQL, so I've been playing around with it a bit lately. Perhaps a good way to run down the problem would be to turn on slow-query logging (with the --log-slow-queries option at MySQL startup), and then run those same queries interactively against the db with the EXPLAIN keyword to see what's causing them to be slow. I'd do this, but again I don't currently use MySQL or ACID... HTH, Andrew
On Sat, 2004-03-06 at 07:07, Kreimendahl, Chad J wrote:Hardware won't be your problem. Once you get around 100k events in the snortdb on MySQL you'll run into major performance problems that almost no amount of hardware seems to solve.You're dead right there. 100K does appear to be the limit for me too. Is this a MySQL-specific issue? How does Postgresql or Oracle handle DBs over 100K? Has anyone tried to figure out the problem? There are apparently people using MySQL with terrabytes of data (nothing to do with snort),
so why is 100K of snort records such a big deal? Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Thanks, Josh Berry, CISSP CTO, VP of Product Development LinkNet-Solutions 469-831-8543 josh.berry () linknet-solutions com ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Question about best hardware, (continued)
- RE: Question about best hardware Josh Berry (Mar 08)
- Re: Question about best hardware Michael Stone (Mar 09)
- RE: Question about best hardware AJ Butcher, Information Systems and Computing (Mar 09)
- RE: Question about best hardware Josh Berry (Mar 10)
- RE: Question about best hardware AJ Butcher, Information Systems and Computing (Mar 11)
- RE: Question about best hardware Josh Berry (Mar 10)
- RE: Question about best hardware AJ Butcher, Information Systems and Computing (Mar 11)
- Re: Question about best hardware Jason Haar (Mar 08)
- pcre.h error . David Alonso De La Vega Tapage (Mar 08)
- creating tables .. David Alonso De La Vega Tapage (Mar 09)
- Re: creating tables .. David Alonso De La Vega Tapage (Mar 09)