Argus Database.

Peter Van Epp vanepp at sfu.ca
Sun Mar 13 23:44:43 EST 2005 

	Hmmm, that may be worth trying. When I read about tying though it 
seemed to indicate that the hash was still in memory it just also went to disk 
which seemed to mean I'd have the same problem (exhaustion of the in memory 
portion of the hash) but that may just be one of unclear documentation or 
unclear reader :-). 
	The usual problem is a wide ranging port scan producing large numbers 
of single flows to different hosts. The index tends to blow up and while adding 
memory would help to some extent it is still possible to exhaust it (and doing 
the same to disk would be much harder as it can be much much larger easily). 
While the more memory trick would fix me for now, it wouldn't help someone 
like Eric with 5 or 10 times my traffic and a general solution would be more 
desirable.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> 
> While this isn't a bad idea, I think you should try some simple approaches 
> to solve the memory problem before going the whole way to using mysql. 
> (And I'm a big mysql guy, so this isn't just mysql bashing.)
> 
> In particular, if you're storing lots of data in hashes, try tie'ing those 
> hashes to files on disk, so they don't eat up your memory.  You may have to 
> restructure your data format a bit to do this, if you're currently using 
> nested hashes, but it may be worth the effort.  tie'ing to a file actually 
> gets around some memory (mis)management problems with perl.  We've seen 
> code that was running a machine out of memory with an in memory hash result 
> in only a few megabtye file on disk when tie'd.
> 
> If you still want to go the database approach, I found this page in google 
> that indicates that someone else may have already done a bunch of the work 
> you're looking for:
> <http://article.gmane.org/gmane.network.argus/2626>
> 
> 
> -David
> 
> David Nolan                    <*>                    vitroth+ at cmu.edu
> curses: May you be forced to grep the termcap of an unclean yacc while
>      a herd of rogue emacs fsck your troff and vgrind your pathalias!

More information about the argus mailing list