Re: Diagnosing MySQL server has gone away messages

[Dirk Geschke <Dirk_Geschke () genua de>]

Hi,

> Can you explain what you mean by Snort "has to stop being an IDS"? If Snort
> is no longer an IDS when logging directly to a DB what is it?
>
> > In order for Snort to do an insert, it has to stop being an IDS.
[...]

that means, that during the time which is needed to insert an alert
in the database (and there are several tables involved and consequently
a lot of queries and inserts) snort won't be able to process new
incoming packets. 

Of course, there is a buffer in the kernel/pcap library but at least
you are on risk to miss some packets due to the time you spent on 
inserting the last alert.

If in addition the access to the database is slow or gone away you will
loose a lot of packets.

Therefore it would be a good idea to decouple the output to a database
from snort. You can use Unfied Output together with Barnyard to circumvent
this problem. Or you can use FLoP, it works similar but skips the process
of having to write to local files.

Best regards

Dirk



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users