[Snort-users] Snort/Barnyard2 performance with remote DB
mikelococo at ...11827...
Tue Feb 28 17:51:35 EST 2012
On 02/27/2012 10:24 AM, turki wrote:
> Is there a way to evaluate the performance of sending alerts from
> Snort/Barnyard2 to a remote DB?
Use barnyard2 to do this measurement. Create an empty DB and set up the
schema and permissions. Time a barynard2 run against a single U2 file.
Count how many alerts are in the DB and do the math to calculate your
Also, many folks have suggested that barnyard2 will not create a
bottleneck under any circumstances, which isn't true. Barnyard2 won't
bottleneck on CPU, RAM, or IO... but it can bottleneck due to network
latency. It has a single insert thread that requires requires ~7 tcp
roundtrips to insert an alert into the DB. If your DB is on a lan,
you'll have a few milliseconds of latency and will be able to insert 100
alerts per second or maybe even more, which is enough for a pretty
chatty ruleset on a pretty big site. If you have 200ms of latency due
to a transatlantic link, you'll top out a 1-2 alerts per second which
will bottleneck most sites. This is tricky to diagnose, your DB will
appear idle and barnyard2 will not use much CPU, but it will fall behind
further and further on inserts. Details on this issue are in a by2
mailing list thread:
So, if you have a reasonably well-tuned ruleset and a DB with lan
latency, barnyard2 won't be a bottleneck. If you have a very high event
rate, or a lot of network latency it absolutely will be. This will
improve with the new schema, but it won't scale to high-event rates on
high-latency links without a substantial change to the DB output framework.
More information about the Snort-users