Snort mailing list archives

RE: Snort to Oracle

From: "Steven Rudolph" <srudolph () iocenter net>
Date: Fri, 3 Jan 2003 17:03:51 -0500

It is running on a sun Netra separate form Snort and my web server.  It
really starts bogging down at over 100K alerts.
The Netra easily reaches 100% CPU when doing queries when the database
is over 100K alerts.
I have an Sun E220r sitting around with dual procs, maybe that will work
better?
Ahh well, I made some major changes to the rulebase today and it is not
alerting as much now, but I will find out soon if this will work.
 
Thanks for all of your suggestions.
 
Steve

-----Original Message-----
From: O'Flynn, Derek [mailto:DOFlyn () lsuhsc edu]
Sent: Friday, January 03, 2003 2:48 PM
To: 'Steve Suehring'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort to Oracle



I have at least 15k alerts per day running on MySQL and don't have an
issue.  I usually keep about 300k alerts in my database before I purge
any out.

Machine is a P4 - 1.8Ghz, 1GB Ram running Redhat 7.3, Snort 1.9 

Derek 

-----Original Message----- 
From: Steve Suehring [ mailto:snort () braingia org
<mailto:snort () braingia org> ] 
Sent: Friday, January 03, 2003 1:24 PM 
To: snort-users () lists sourceforge net 
Subject: Re: [Snort-users] Snort to Oracle 

On Fri, Jan 03, 2003 at 01:07:53PM -0500, Nicholas Bachmann wrote:

I am getting well over 15K detected attempts a day and my database 
grows too quickly for MySql to handle (my current setup)


MySQL shouldn't have any problems handling 15K of anything per day.  

I personally wouldn't have much faith in Oracle handling it better, all 
things being equal.  Oracle has higher overhead and 15K of records isn't

that much data to begin with.  Obviously if you're running MySQL on a
486 
and Oracle on a P4 there would be a difference.  :) 

Are there specific issues that you're seeing with MySQL? 

Steve 


------------------------------------------------------- 
This sf.net email is sponsored by:ThinkGeek 
Welcome to geek heaven. 
http://thinkgeek.com/sf <http://thinkgeek.com/sf>  
_______________________________________________ 
Snort-users mailing list 
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-users>  
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>

Attachment: smime.p7s
Description:

Current thread:

Snort to Oracle Steven Rudolph (Jan 03)
- Re: Snort to Oracle Nicholas Bachmann (Jan 03)
  - Re: Snort to Oracle Steve Suehring (Jan 03)
- <Possible follow-ups>
- RE: Snort to Oracle O'Flynn, Derek (Jan 03)
- RE: Snort to Oracle Steven Rudolph (Jan 03)
- RE: Snort to Oracle Kreimendahl, Chad J (Jan 03)
- RE: Snort to Oracle Kreimendahl, Chad J (Jan 03)