Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort - MYSQL performance + packet dropped?

From: "Nyuk Loong Kiw" <Kiw () safecom co nz>
Date: Wed, 2 Mar 2005 09:54:50 +1300
Hi,
 
I am not sure if this has been asked before.
 
How can i tell if my snort box is dropping packets or not?? I checked
both the interface on the snort box itself as well as the switch port
that's plugged in to and i hardly see any errors at all... does it mean
i can pretty safely assume none of the packets are dropped?? Is there
any better way of finding this out?
 
Second question is, I have setup snort + MYSQL + BASE + snortreport etc
on a PII box with 512MB ram (just my play box). It seems to be doing
it's job fine until i plug it in to a switch segment (with about 20 pcs
attached to it) and have all signatures turned on. I am having serious
performance problem with the MYSQL that eveytime when i try to view the
report via the snortreport interface or usnig BASE to look at alerts
etc, it can take as long as 2-3 minutes before i will get the full page
loaded. I have tried stopping snort while doing the query via the php
page and it doesn't make any difference whether snort was logging to the
database at the same time or not. While diong the query doing a top
shows me that mysqld is using all the CPU. Is this normal? Is there
anything i can do to increase MYSQL's performance? (eg is there any day
to day maintenance task that i am suppose to do daily to keep the DB
happy?) Or am i using a box that's not up to spec and the only way to
fix is to put in a better hardware??
 
What's the best way of logging from snort to MYSQL at the moment??
Currently i have got snort logging directly to mysql, i am aware that i
can get snort to log to some sort of log file (binary?) and get barnyard
to read from log and export to MYSQL, is this how people normally do it
in a production environment (to improve performance?).
 
Sorry to ask so many Q at the same time, i am pretty new to snort and am
getting pretty excited about what SNORT is capable of .. :)
 
 
Thanks
 
 
Kiw

#####################################################################################
Important: This electronic message and attachments (if any) are confidential
and may be legally privileged. If you are not the intended recipient do not
copy, disclose or use the contents in any way. Please let us know by return
e-mail immediately and then destroy this message.
#####################################################################################
Previous By Date Next
Previous By Thread Next

Current thread: