RE: Question on database for Snort

[Paul Schmehl <pauls () utdallas edu>]

On Tue, 2003-04-01 at 13:24, Kreimendahl, Chad J wrote:
> My guess is that less joins are being done to get the speed lost in
> applications like ACID.  Specifically, with a primary key that is two
> values, you lose lots of points (create tons more CPU cycles and add
> enormous IO time) doing outer joins on tables (like you'd have to for
> tcphdr, icmphdr, udphdr....).
>
> Simply taking out those tables which join to iphdr will often save a
> great deal of time, but can be a problem when the information is
> needed... and the user has to wait a while for it to show up.
Actually that's not the case, but that's also not the primary reason we
began working on our own frontend.  The inability to search for all
events by IP was the biggest driving force and the slow response time
was the second biggest reason.  We also didn't see the need to cache
events rather than simply querying the database directly.  Caching tends
to skew the view you have of what's going on, in our opinion.

-- 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member



-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users