[Snort-users] Snort, Barnyard, Mysql
joao at ...13547...
Mon Oct 17 03:14:24 EDT 2005
Jason Brvenik wrote:
>Raymond Owens wrote:
>>I have several questions relating to the use of Snort, Barnyard and
>>Mysql that hopefully someone can shed some light on.
>>First , I have heard that if Barnyard is run on the same platform that
>>the Snort sensor resides on, there is no performance enhancement because
>>the same box is doing both the sensing and the unified file output
>>parsing. Is this true? If so, what methods are employed to get the
>>unified files to another box?
>This is not true. Unified output is much faster than other output
>methods. Running barnyard on the same single processor system might have
>some cost associated with the sensing instance but if you are running at
>those speeds you should have a multiprocessor system for the task any
>way. Moving the database to a different system is also a good idea if
>you have high performance needs.
I've run some tests some months ago with a single processor using nice
on the barnyard. The result was an even faster snort sensor.
The second question was to move tge unified files to another box (not
the database). I think that this is not a good idea becouse it would
depend on a network filesystem or a cron file transfer. This would
generate traffic and would launch processes that could also choke the
CPU. Why not just use barnyard? I haven't compare traffic that would
result with a network file system against the barnayrd/sql one, but
should'nt be that diferent so why add more complexity to the solution?
Answering your first question... Using barnyard enchances the
perfomance, even when it is on the same box and not "niced". But you
should try lowering it's priority.
More information about the Snort-users