[Snort-users] Snort/Barnyard2 performance with remote DB

Martin Holste mcholste at ...11827...
Mon Feb 27 12:05:14 EST 2012


Since you're already using Barnyard2, Turki, it sounds like you're
wondering if you should be concerned with Snort performance or
Barnyard's INSERT performance.  The answer is that you should be
concerned solely with Snort performance in almost all scenarios.
Barnyard will INSERT as fast as it can, and since the data is safely
on disk already as it does this, if it gets behind for a few minutes
or hours, it's generally not a major issue.  However, if your alert
volume is so great that you are overwhelming Barnyard, then your
problem is not actually Barnyard but that you are alerting too much.
That means you need to tune your rule set.  More than about 10 alerts
per second is more than most small or medium networks generate, and
more than 100 alerts per second is highly unusual and probably
indicates a tuning problem.

On Mon, Feb 27, 2012 at 10:01 AM, Joel Esler <jesler at ...1935...> wrote:
> On Feb 27, 2012, at 10:24 AM, turki wrote:
>
> Hello Snort users,
>
> I am using Snort (2.9.0.5) and Barnyard2 (1.9) with a configuration that
> sends alerts to a database. MySql DB is the storage unit to save these
> alerts and it is in separate machine from the Snort/Barnyard2 machine.
>
> my question,
> Is there a way to evaluate the performance of sending alerts from
> Snort/Barnyard2 to a remote DB?
> Is the focus here to monitor the throughput of the Snort node or the DB
> node?
> any recommended benchmark tools for such experiment?
>
>
> So, a couple of thoughts here that may point you in the right direction.
>
> Snort, when outputting directly to DB has to stop being an IDS in order to
> "INSERT" into the db.  That's not generally a good thing!
>
> We recommend using Snort to output to unified2 and having barnyard2 input
> into the DB.  We are actually going to be removing the direct-to-db output
> from Snort in the next major release (2.9.3)
>
> Joel
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list