Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Idea my snort database..!!

From: kamesh_rajaram () sify com
Date: Fri, 05 Apr 2002 20:49:13 +0500 (IST)
Hi Snort/Demarc Users..!!

        There is trouble running snort. If load becomes heavy...snort stops logging. There are quiet a few 
processes(usually inserts) in mysql which locks the important tables of the snort database. This can be seen by running:

mysql> show processlist;

The % CPU utilisation also becomes close to 99%. The traffic in our case is somewhere near 200,000 packets a day. This 
causes the mysql server to slow down after 2 days with inbetween halts..!! Then we shutdown & restart snort & mysql. 
Ultimately, we end up deleting data to make it work. But we want the details for atleast 3 days. Thus, the very purpose 
of snort is defeated.

To solve this problem we decided to write a script which takes the minimal required information (like ip addr, event 
nos.,..etc) from the snort database and logs it into a new database in the same server. By doing this we thought we can 
log the information and delete the data in snort database. We had put that script in the crontab to run every hour. 
Even this did not work properly. 

There is an other idea. What if we create the same database scheme of snort in different names like snort1, snort2, 
snort3. Use one database for logging every day. This we can do it as a cycle for 3 days. The fourth day will have 
snort1 for logging again. Do u think this scheme will work...?? Does it make sense to do it this way...?? Our ideology 
is to analyse the packets that come in. 

Our basic problem is mysql gets hung frequently. We want snort to run smoothly. Is there any way in which we can fine 
tune mysql database so that this kind of a problem does not happen..?? Hope i am clear in explaining the problem and 
the scheme.....I expect your valuable comments & advise in this regard.....

Bye,
Kamesh.
-------------------------------------------------
This mail helped a tree grow. Know more at http://green.sify.com

Take the shortest route to success! 
Click here to know how http://education.sify.com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: