[Snort-users] Where's Waldo?

AllowOverride allowoverride at ...11827...
Thu Oct 11 20:05:27 EDT 2012


thanks! thats a great answer, just what i am waiting to hear. good job.
keep it up :)

On Thu, 2012-10-11 at 18:02 -0400, beenph wrote:
> On Thu, Oct 11, 2012 at 5:13 PM, Paul Schmehl <pschmehl_lists at ...14358...> wrote:
> > --On October 11, 2012 8:58:12 PM +0100 Peter Bates <peter.bates at ...15381...>
> > wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >>
> >> Hello all
> >>
> >> On 11/10/2012 20:29, AllowOverride wrote:
> >>> just a test, i will clear tables, and close browser, come back in 1
> >>> hour increments, and see if that is the issue, it takes an hour to
> >>> input new data after base clear table buttons have cleared. im
> >>> assume there is a switch in the configs to make it quicker.
> >>
> >> I've never personally looked for the option to clear tables in BASE
> >> but I can say I use a script called archivesnort.pl which moves alerts
> >> after 7 days to the archive DB and deletes them after 30.
> >>
> 
> The condition mentioned earlyer by Waldo Kitty is called "backlog"
> 
> Backlog is a state is a state where you are receiving/generating alot
> of unified2 event,
> so mutch that even if barnyard2 is reading them its not outputing them
> fast enough.
> 
> That state was easily observable with barnyard2 2-1.9 if you where
> outputing to database on a busy database
> or high latency link because of the way that the original port for the
> database output was written.
> 
> Generating 1 query for every table and querying signatures tables at
> every event.
> 
> The rewrite of 2-1.10  database output plugin was mainly done to
> address that issue and others but now events
> are written in a single block and signature query are done only if the
> signature was not already in cache. The minimum
>  insert throughtput performance has been by 8 to 10 fold if not more
> in some cases.
> 
> So if you observe backlog on 2-1.10 i would be interested known things like:
> 1)  what is your backend dbms
> 2)  whats the network latency betwen your  barnyard2 node
> 3)  how many events/second you are generating.
> 
> I hope this shed some light on previous observation done by the concerned party.
> 
> -elz
> 
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list