[Snort-users] Snort/Barnyard2 performance with remote DB

beenph beenph at ...11827...
Mon Feb 27 20:12:24 EST 2012


And if you want to benchmark the new output plugin that uses the old schema,

you can get it from the pre-release branch @
https://github.com/binf/barnyard2/tree/pre-stable

-elz


On Mon, Feb 27, 2012 at 2:33 PM, Jan Seidl <lists at ...15522...> wrote:
> Yes, Martin is right.
>
> Even if you get some clog in mysql or the network, barnyard2 will ship
> all the results as the unified2 files will be written and wont be
> lost.
>
> If you still want to have near real-time mysql archiving due the use
> of snorby or BASE, you might want to fine tune your setup.
>
> BTW, i forgot to mention this article which covers others mysql
> benchmarking tools:
> http://www.devshed.com/c/a/MySQL/MySQL-Benchmarking-Tools-and-Utilities
>
> On Mon, Feb 27, 2012 at 4:29 PM, Martin Holste <mcholste at ...11827...> wrote:
>> My point was that Barnyard performance is largely irrelevant.  Do you
>> have some reason to believe it is not performing well?
>>
>> In any case, you are essentially asking for an alerts-per-second
>> statistic, which you could get manually with:
>> SELECT COUNT(*) AS count, timestamp FROM event WHERE timestamp >
>> DATE_SUB(NOW(), INTERVAL 60 SECOND) GROUP BY timestamp ORDER BY
>> timestamp;
>> That will show you alerts-per-second for the last minute.
>>
>> On Mon, Feb 27, 2012 at 1:22 PM, turki <turki_00 at ...131...> wrote:
>>> I am 100% convinced (and this what I am implementing right now) that using
>>> barnyard2 is more appropriate to insert alerts to DB rather than leaving
>>> this process to Snort by itself.
>>>
>>> However, maybe I need to further explain my question:
>>> How can I evaluate/measure barnyard's INSERT process to remote DB? or in
>>> other words, how can we measure the throughput or the performance of
>>> barnyard2 while shipping alerts to remote database.
>>> I would imagine something like barnyard ability to send alerts/seconds
>>> factor or something....
>>>
>>> Thank you,
>>> Turki
>>>
>>> ________________________________
>>> From: Martin Holste <mcholste at ...11827...>
>>> To: Joel Esler <jesler at ...1935...>
>>> Cc: turki <turki_00 at ...131...>; "snort-users at lists.sourceforge.net"
>>> <snort-users at lists.sourceforge.net>
>>> Sent: Monday, February 27, 2012 12:05:14 PM
>>> Subject: Re: [Snort-users] Snort/Barnyard2 performance with remote DB
>>>
>>> Since you're already using Barnyard2, Turki, it sounds like you're
>>> wondering if you should be concerned with Snort performance or
>>> Barnyard's INSERT performance.  The answer is that you should be
>>> concerned solely with Snort performance in almost all scenarios.
>>> Barnyard will INSERT as fast as it can, and since the data is safely
>>> on disk already as it does this, if it gets behind for a few minutes
>>> or hours, it's generally not a major issue.  However, if your alert
>>> volume is so great that you are overwhelming Barnyard, then your
>>> problem is not actually Barnyard but that you are alerting too much.
>>> That means you need to tune your rule set.  More than about 10 alerts
>>> per second is more than most small or medium networks generate, and
>>> more than 100 alerts per second is highly unusual and probably
>>> indicates a tuning problem.
>>>
>>> On Mon, Feb 27, 2012 at 10:01 AM, Joel Esler <jesler at ...1935...> wrote:
>>>> On Feb 27, 2012, at 10:24 AM, turki wrote:
>>>>
>>>> Hello Snort users,
>>>>
>>>> I am using Snort (2.9.0.5) and Barnyard2 (1.9) with a configuration that
>>>> sends alerts to a database. MySql DB is the storage unit to save these
>>>> alerts and it is in separate machine from the Snort/Barnyard2 machine.
>>>>
>>>> my question,
>>>> Is there a way to evaluate the performance of sending alerts from
>>>> Snort/Barnyard2 to a remote DB?
>>>> Is the focus here to monitor the throughput of the Snort node or the DB
>>>> node?
>>>> any recommended benchmark tools for such experiment?
>>>>
>>>>
>>>> So, a couple of thoughts here that may point you in the right direction.
>>>>
>>>> Snort, when outputting directly to DB has to stop being an IDS in order to
>>>> "INSERT" into the db.  That's not generally a good thing!
>>>>
>>>> We recommend using Snort to output to unified2 and having barnyard2 input
>>>> into the DB.  We are actually going to be removing the direct-to-db output
>>>> from Snort in the next major release (2.9.3)
>>>>
>>>> Joel
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Try before you buy = See our experts in action!
>>>> The most comprehensive online learning library for Microsoft developers
>>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>>> http://p.sf.net/sfu/learndevnow-dev2
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort
>>>> news!
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> Try before you buy = See our experts in action!
>> The most comprehensive online learning library for Microsoft developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe now!
>> http://p.sf.net/sfu/learndevnow-dev2
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list