[Snort-users] Snort/Barnyard2 performance with remote DB

Mike Lococo mikelococo at ...11827...
Tue Feb 28 17:51:35 EST 2012


On 02/27/2012 10:24 AM, turki wrote:
> Is there a way to evaluate the performance of sending alerts from
> Snort/Barnyard2 to a remote DB?

Use barnyard2 to do this measurement. Create an empty DB and set up the 
schema and permissions. Time a barynard2 run against a single U2 file. 
Count how many alerts are in the DB and do the math to calculate your 
insert rate.

Also, many folks have suggested that barnyard2 will not create a 
bottleneck under any circumstances, which isn't true.  Barnyard2 won't 
bottleneck on CPU, RAM, or IO... but it can bottleneck due to network 
latency.  It has a single insert thread that requires requires ~7 tcp 
roundtrips to insert an alert into the DB.  If your DB is on a lan, 
you'll have a few milliseconds of latency and will be able to insert 100 
alerts per second or maybe even more, which is enough for a pretty 
chatty ruleset on a pretty big site.  If you have 200ms of latency due 
to a transatlantic link, you'll top out a 1-2 alerts per second which 
will bottleneck most sites.  This is tricky to diagnose, your DB will 
appear idle and barnyard2 will not use much CPU, but it will fall behind 
further and further on inserts.  Details on this issue are in a by2 
mailing list thread:

http://groups.google.com/group/barnyard2-users/browse_thread/thread/b2ef14bbc4ebe060

So, if you have a reasonably well-tuned ruleset and a DB with lan 
latency, barnyard2 won't be a bottleneck.  If you have a very high event 
rate, or a lot of network latency it absolutely will be.  This will 
improve with the new schema, but it won't scale to high-event rates on 
high-latency links without a substantial change to the DB output framework.

Cheers,
Mike Lococo




More information about the Snort-users mailing list