RE: Question on database for Snort

[Paul Schmehl <pauls () utdallas edu>]

On Mon, 2003-03-31 at 13:35, Kreimendahl, Chad J wrote:
> The majority of setups I've seen with mySQL tend to bog down greatly
> when you approach 100k events in the db.  Postgres seems to handle much
> more, but still has its problems as the numbers increase.  Oracle has
> been the most stable, for those I've had experience with.  I've seen
> several Oracle setups storing snort information running much more
> complex front-ends than ACID... that easily store and retrieve tens of
> millions of records without much more delay than it would a few
> thousand.
I have never tested PostgreSQL, so I can't speak to that, but I *can*
address one of your points above.  We are presently querying a mysql
database with 8 million alerts in it, using a web-based interface that
we are designing, and we are getting response times of under 3 seconds.

I think the response time of any front end to a database has a lot more
to do with how the queries are constructed than a lot of people
realize.  For example, a similar query using ACID takes about 680
seconds on a database with 1.5 million alerts in it.

-- 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member



-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users