[Snort-users] Snort/Barnyard2 performance with remote DB

beenph beenph at ...11827...
Tue Feb 28 19:37:40 EST 2012

On Tue, Feb 28, 2012 at 5:51 PM, Mike Lococo <mikelococo at ...11827...> wrote:
> On 02/27/2012 10:24 AM, turki wrote:
>> Is there a way to evaluate the performance of sending alerts from
>> Snort/Barnyard2 to a remote DB?
> Use barnyard2 to do this measurement. Create an empty DB and set up the
> schema and permissions. Time a barynard2 run against a single U2 file.
> Count how many alerts are in the DB and do the math to calculate your
> insert rate.
> Also, many folks have suggested that barnyard2 will not create a
> bottleneck under any circumstances, which isn't true.  Barnyard2 won't
> bottleneck on CPU, RAM, or IO... but it can bottleneck due to network
> latency.  It has a single insert thread that requires requires ~7 tcp
> roundtrips to insert an alert into the DB.  If your DB is on a lan,
> you'll have a few milliseconds of latency and will be able to insert 100
> alerts per second or maybe even more, which is enough for a pretty
> chatty ruleset on a pretty big site.  If you have 200ms of latency due
> to a transatlantic link, you'll top out a 1-2 alerts per second which
> will bottleneck most sites.  This is tricky to diagnose, your DB will
> appear idle and barnyard2 will not use much CPU, but it will fall behind
> further and further on inserts.  Details on this issue are in a by2
> mailing list thread:
> http://groups.google.com/group/barnyard2-users/browse_thread/thread/b2ef14bbc4ebe060
> So, if you have a reasonably well-tuned ruleset and a DB with lan
> latency, barnyard2 won't be a bottleneck.  If you have a very high event
> rate, or a lot of network latency it absolutely will be.  This will
> improve with the new schema, but it won't scale to high-event rates on
> high-latency links without a substantial change to the DB output framework.

The revamped output plugin using the old schema will increase your
perf ...at least by a 10 time factor if not more (trying to be
conservative here).

Have you tried it?


More information about the Snort-users mailing list