RE: a user experience w/ Snort, ACID & (Postgre|My) SQL

[Fraser Hugh <hugh_fraser () dofasco ca>]

PostgreSQL and MySQL are not the same animal. PostgreSQL is a complete
relational database with all the features (and overhead) that go with a full
db. MySQL lacks some of that functionality. One of the returns is better
performance. It's an acceptable solution in many cases. Out-of-the-box
Snort/ACID is one of those cases.

I've chosen to use Postgres because I've opted to add to the database schema
some additional tables, triggers and procedures to do things that aren't
included as part of the standard Snort or ACID applications, triggered each
time a new event is added to the database (control chart stats stuff and
exception reporting). There are other ways to do it...  I could have written
a new output plugin, for instance. But my overall goal is to do exception
reporting (ie. the sensors page me when an abnormal event occurs and point
me to it). While I think ACID is a great analysis tool, I don't want to have
to use it unless there's something I need to investigate, so blazing
performance isn't that important. Putting the logic for my enhancements in
the database seemed to be the most efficient way to do it.


-----Original Message-----
From: Saad Kadhi [mailto:bsdguy () noos fr]
Sent: Wednesday, October 03, 2001 3:15 AM
To: Snort Users
Subject: [Snort-users] a user experience w/ Snort, ACID &
(Postgre|My)SQL


Hi there,

I am very new to Snort & practical ID though I've read like many the
books from Nortcutt & co. I have installed my first Snort sensors 4/5
weeks ago and before continuing any further, I'd like to thank Marty &
the crew for such a good system. I am writing this to share my
experience on the subject if anyone is interested. If no one gives a
heck about it, then sorry for the bandwidth noise :p

Since I am working on a project for my current employer for
small-to-wide deployments of Snort, I choosed for my first install
PostgreSQL as the DB backend on an OpenBSD platform. I am not as
knowledgeable w/ RDBMS as I am w/ OSes in general. My OpenBSD kernel is
as optimized as I can make it & I applied every trick I found about
increasing PostgreSQL performance but still, the ACID/PostgreSQL couple
is *extremely* slow. The hardware I am using is very standard. I have
been in touch w/ Chris Kuethe & Roman & others about this very subject,
read the archives ... to no avail. Looked into DNS bottlenecks, fs
performance ...etc. After a while, I switched the RDBMS to MySQL. Same
hardware, just 'mv PostgreSQL MySQL'. And the performance sky rocketed.
Literally. While it took ages to load the ACID main page w/ 5000 alerts
w/ PostgreSQL as the backend, it showed in a snap w/ MySQL. I am
stumped. The system is not *that* loaded (19%sys, 34%user at most & for
very short times) in either case. The system is not swapping (or very
little). But ACID/MySQL is much faster than ACID/PostgreSQL.

Please, I do not want to start a PostgreSQL vs. MySQL flame war. I am
just saying that in my particular case, MySQL saves the day. The only
problem I am having now is w/ persistent connections & httpd gobbling
memory but that's another story.

Regards,
-- 
/saad
[put your signature here]
self-customize-sig(tm). another dumb patent...
nodisclaimer


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users