Re: Snort drops packets with SQL logging.

[Chris Green <cmg () uab edu>]

Thomas Novin <thnov () thalamus se> writes:

> Hi all.
>
> We run snort with two machines, one with the snort program and one with mysql.
>
> Machine 1 (Snort) logs everything to Machine 2 (MySQL) via 100Mbit
> Ethernet. But it drops over 50% of the packages. What could cause
> this? Either machine or network is near full load. If I remove the
> output log database line and just log to a file instead no packets are
> dropped.
>
> Any idea why snort/MySQL can't keep up with this configuration? The
> network load is approx 20 Mbit (peaks 30).

This is a pretty common question and it is a good bit of why barnyard
was written.

Theres a ton to do on every database insert and snort is waiting on
MySQL to finish its thing before it can do its thing of looking at the
packets.

It's much better to log in unified or binary format and perform SQL
insertions and analysis as an independant activity from packet capturing.
-- 
Chris Green <cmg () uab edu>
A watched process never cores.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users