Snort mailing list archives

Previous By Date Next
Previous By Thread Next

a user experience w/ Snort, ACID & (Postgre|My)SQL

From: Saad Kadhi <bsdguy () noos fr>
Date: 03 Oct 2001 09:15:24 +0200
Hi there,

I am very new to Snort & practical ID though I've read like many the
books from Nortcutt & co. I have installed my first Snort sensors 4/5
weeks ago and before continuing any further, I'd like to thank Marty &
the crew for such a good system. I am writing this to share my
experience on the subject if anyone is interested. If no one gives a
heck about it, then sorry for the bandwidth noise :p

Since I am working on a project for my current employer for
small-to-wide deployments of Snort, I choosed for my first install
PostgreSQL as the DB backend on an OpenBSD platform. I am not as
knowledgeable w/ RDBMS as I am w/ OSes in general. My OpenBSD kernel is
as optimized as I can make it & I applied every trick I found about
increasing PostgreSQL performance but still, the ACID/PostgreSQL couple
is *extremely* slow. The hardware I am using is very standard. I have
been in touch w/ Chris Kuethe & Roman & others about this very subject,
read the archives ... to no avail. Looked into DNS bottlenecks, fs
performance ...etc. After a while, I switched the RDBMS to MySQL. Same
hardware, just 'mv PostgreSQL MySQL'. And the performance sky rocketed.
Literally. While it took ages to load the ACID main page w/ 5000 alerts
w/ PostgreSQL as the backend, it showed in a snap w/ MySQL. I am
stumped. The system is not *that* loaded (19%sys, 34%user at most & for
very short times) in either case. The system is not swapping (or very
little). But ACID/MySQL is much faster than ACID/PostgreSQL.

Please, I do not want to start a PostgreSQL vs. MySQL flame war. I am
just saying that in my particular case, MySQL saves the day. The only
problem I am having now is w/ persistent connections & httpd gobbling
memory but that's another story.

Regards,
-- 
/saad
[put your signature here]
self-customize-sig(tm). another dumb patent...
nodisclaimer


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: