[Snort-users] Where's Waldo?

beenph beenph at ...11827...
Thu Oct 11 18:02:35 EDT 2012


On Thu, Oct 11, 2012 at 5:13 PM, Paul Schmehl <pschmehl_lists at ...14358...> wrote:
> --On October 11, 2012 8:58:12 PM +0100 Peter Bates <peter.bates at ...15381...>
> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> Hello all
>>
>> On 11/10/2012 20:29, AllowOverride wrote:
>>> just a test, i will clear tables, and close browser, come back in 1
>>> hour increments, and see if that is the issue, it takes an hour to
>>> input new data after base clear table buttons have cleared. im
>>> assume there is a switch in the configs to make it quicker.
>>
>> I've never personally looked for the option to clear tables in BASE
>> but I can say I use a script called archivesnort.pl which moves alerts
>> after 7 days to the archive DB and deletes them after 30.
>>

The condition mentioned earlyer by Waldo Kitty is called "backlog"

Backlog is a state is a state where you are receiving/generating alot
of unified2 event,
so mutch that even if barnyard2 is reading them its not outputing them
fast enough.

That state was easily observable with barnyard2 2-1.9 if you where
outputing to database on a busy database
or high latency link because of the way that the original port for the
database output was written.

Generating 1 query for every table and querying signatures tables at
every event.

The rewrite of 2-1.10  database output plugin was mainly done to
address that issue and others but now events
are written in a single block and signature query are done only if the
signature was not already in cache. The minimum
 insert throughtput performance has been by 8 to 10 fold if not more
in some cases.

So if you observe backlog on 2-1.10 i would be interested known things like:
1)  what is your backend dbms
2)  whats the network latency betwen your  barnyard2 node
3)  how many events/second you are generating.

I hope this shed some light on previous observation done by the concerned party.

-elz




More information about the Snort-users mailing list