[Snort-users] Snort, Barnyard, Mysql

João Mota joao at ...13547...
Mon Oct 17 03:14:24 EDT 2005


Jason Brvenik wrote:

>Raymond Owens wrote:
>  
>
>>I have several questions relating to the use of Snort, Barnyard and
>>Mysql that hopefully someone can shed some light on.
>> 
>>First , I have heard that if Barnyard is run on the same platform that
>>the Snort sensor resides on, there is no performance enhancement because
>>the same box is doing both the sensing and the unified file output
>>parsing. Is this true? If so, what methods are employed to get the
>>unified files to another box?
>>    
>>
>
>This is not true. Unified output is much faster than other output
>methods. Running barnyard on the same single processor system might have
>some cost associated with the sensing instance but if you are running at
>those speeds you should have a multiprocessor system for the task any
>way. Moving the database to a different system is also a good idea if
>you have high performance needs.
>  
>
I've run some tests some months ago with a single processor using nice 
on the barnyard. The result was an even faster snort sensor.
The second question was to move tge unified files to another box (not 
the database). I think that this is not a good idea becouse it would 
depend on a network filesystem or a cron file transfer. This would 
generate traffic and would launch processes that could also choke the 
CPU. Why not just use barnyard? I haven't compare traffic that would 
result with a network file system against the barnayrd/sql one, but 
should'nt be that diferent so why add more complexity to the solution?

Answering your first question... Using barnyard enchances the 
perfomance, even when it is on the same box and not "niced". But you 
should try lowering it's priority.






More information about the Snort-users mailing list