[Snort-users] Re: Snort and high performance networks

Aaron snort at ...10572...
Mon May 24 07:02:06 EDT 2004


I have the database on just a dual p3/700mhz box with 4GB of ram and 
ACID does just fine no matter how many alerts it has.   Loading the 
main page takes a bit but that has more to do with the stats it 
gathers.

Last month I had over 12 million events in the db and it had no 
problems.

If you search mysql.com, you can find several performance tips that 
will help, especially if you have plenty of memory to throw at the 
problem.

http://www.mysql.com/

It is also a good idea to prune out the old alerts then run an 
optimize on the tables.  If you are running barnyard, then this won't 
be a problem (since optimize will lock the tables).

Regards,

Aaron


>Date: Mon, 24 May 2004 15:33:35 +1200
>From: Jason Haar <Jason.Haar at ...294...>
>Organization: Trimble Navigation Ltd.
>To:  snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Snort and high performance networks
>
>Rafael Ortega wrote:
>
>>Hello, All
>>
>>I'm currently snorting close to 800Mbps with no problem.  What to do 
>>with
>>the amount of info, is another story.  I tried ACID, but after 24 
>>hours and
>>700,000 events registered, the data base becomes too slow, even after
>>indexing certain reference fields.
>>...
>>The sniffer is an Intel Xeon 2.4GHz with 1GB RAM running only snort 
>>and
>>barnyard.
>>
>>  
>>
>How about OS? Also, anything special about the PCI bus and Ethernet 
>card 
>choices? (e.g. I don't think standard 33Mhz PCI can do 800Mbs)
>
>You are correct about ACID. I love it - but it really grinds to a 
>halt 
>around 100K records
>
>-- 
>Cheers
>
>Jason Haar
>Information Security Manager, Trimble Navigation Ltd.
>Phone: +64 3 9635 377 Fax: +64 3 9635 417
>PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>






More information about the Snort-users mailing list