Snort mailing list archives

Snort and SQL performance

From: Kevin Brown <Kevin.M.Brown () asu edu>
Date: Wed, 05 Sep 2001 10:00:32 -0700

Currently running Version 1.8.1-RELEASE (Build 74) on a Netra T1 AC200
(500MHz Sparc IIe, 1GB RAM, 2x 18GB 10k RPM SCSI drives) and have it logging
to a remote SQL database, MySQL 3.23.40 running on a Quad PII450 Xeon, 2GB
RAM, 40GB Hard drive space devoted to the database.  I have noticed that as
the database gets larger in size, the performance of snort begins to slip.
During the summer when few to no students were present, snort was clocking
along at 70% of the CPU.  The semester has begun and network usage has
risen, yet snort has slowly gone down from 70% to 45%.  The only thing that
has changed on the network is that the SQL Database has grown from 0 records
on 8-13-01 to 2,632,460 records as of an hour and a half ago, listening on a
total of 200Mb of bandwidth to various ISPs that service this campus.  I
have also tried this with PostgreSQL, but while the insert performance may
have been better the ACID performance for viewing the data was an order of
magnitude, or more, worse (e.g. 100s for postgres vs. 10s for mysql).

To me this suggests that there may still be some tuning options, either in
mysql or in the spo_database plugin to improve the speed of the inserts to
see if that keeps snort chugging along happily.

END OF LINE...

Begin Geek Code;
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map{$_%16or$t^=$c
^=(
$m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t^=(72,@z=(64,72,$a^=12*($_%
16
-2?0:$m&17)),$b^=$_%64?12:0,@z)[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$
h
=5;$_=unxb24,join"",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$
d=unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d>>12^$d>>4^
$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<<9,$_=$t[$_]^
(($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}print+x"C*",@a}';s/x/pack+/g;eval

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort and SQL performance Kevin Brown (Sep 05)
- <Possible follow-ups>
- RE: Snort and SQL performance Fraser Hugh (Sep 05)
- RE: Snort and SQL performance Kevin Brown (Sep 06)
- RE: Snort and SQL performance Kevin Brown (Sep 06)
- RE: Snort and SQL performance Kevin Brown (Sep 28)