[Snort-users] Snort vs. Barnyard2 performance logging to a database

dandantheitman dandantheitman at ...11827...
Tue Feb 11 06:19:15 EST 2014


Morning Ido, I have not got any performance statistics to share with you,
but I can tell that you based on past testing and experience that unified 2
and barnyard is the better performer over direct database inserts.  One of
the biggest performance hits your snort will take when looking at direct
database inserts is table and row locking, if you are querying your
database, for example perhaps pulling information for a report, then snort
may not be able to perform its database inserts.

If you were to setup a second database instance and replicate the data and
run your queries against that then this would alleviate the table and row
locks hinted at above.

Dan


On 11 February 2014 05:38, Dubrawsky, Ido <Ido.Dubrawsky at ...16687...> wrote:

> Has anyone done any performance tests benchmarking whether it's better for
> the Snort IDS process to insert alerts directly into a database (MySQL or
> PostGREsql) or whether performance is better if Snort writes the unified2
> file and lets Barnyard2 insert alerts into a database?   A quick Google
> search hasn't easily revealed anything relevant at the moment.
>
>
>
> Thanks,
>
> Ido
>
> [image: Description: cid:image008.png at ...16688...]
>
>
>
> [image: Description: Description:
> http://marketing.itron.com/campaign/ribbon_logo_rgb_92h.jpg]<https://www.itron.com/>
>
> *Ido Dubrawsky*
>
> Sr. Principal Systems Engineer
>
> Security Engineering Team Lead
>
> *Ido.Dubrawsky at ...16687... <Ido.Dubrawsky at ...16687...>*
>
> 509-891-3452 (O)/301-928-0020(M)
>
> [image: Description: Description:
> http://marketing.itron.com/campaign/social_media_icon_twitter29.jpg]<http://twitter.com/#!/itron>
> [image: Description: Description:
> http://marketing.itron.com/campaign/social_media_icon_facebook29.jpg]<http://www.facebook.com/ItronInc>
> [image: Description: Description:
> http://marketing.itron.com/campaign/social_media_icon_linkedin29.jpg]<http://www.linkedin.com/company/7550?trk=null>
> [image: Description: Description:
> http://marketing.itron.com/campaign/social_media_icon_youtube29.jpg]<http://www.youtube.com/itronsmartmedia>
>
>
> P Please consider the impact to the environment and your responsibility
> before printing this e-mail.
>
>
>
>
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience.  Start now.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140211/fdf87617/attachment.html>


More information about the Snort-users mailing list