Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Best Enterprise Snort Configuration

From: "Hutchinson, Andrew" <Andrew.Hutchinson () Vanderbilt edu>
Date: Wed, 12 Feb 2003 15:14:29 -0600
You're going to get all sorts of answers to this questions, because
everybody has their own opinions.  I'll let you make your own choices
re: sensor OS and keep out of that discussion.  However, I would
recommend you look at my posting from yesterday 'Re: ACID - Which
Database?' - I went over a lot of reasons why I would choose PostgreSQL
over MySQL as the database backend for a larger environment.

If you choose to use MySQL in a large environment (60-70 sensors), and
have users querying the database frequently or issuing large queries,
you WILL have performance problems due to the fact that MySQL MyISAM
tables use table-level locking.  This is straight from the MySQL
documentation(http://www.mysql.com/doc/en/Table_locking.html):


Table locking is, however, not very good under the following senario

(sic - AJH): 


A client issues a SELECT that takes a long time to run. 
Another client then issues an UPDATE on a used table. 
    This client will wait until the SELECT is finished. 
Another client issues another SELECT statement on the same table.
    As UPDATE has higher priority than SELECT, this SELECT will 
    wait for the UPDATE to finish. It will also wait 
    for the first SELECT to finish! 


Your sensors are going to be issuing tons of INSERTS, and a long running
SELECT (i.e. your boss wants a daily aggregate report of all alerts
broken down by type for each day of last month, or some other request
along those lines...) will effectively _shut you down_.

The solution to this is to either use MySQL with InnoDB, or use
PostgreSQL which uses row-level locking.  With MySQL/InnoDB you get
row-level locking and transaction support, but with PostgreSQL you also
get full transaction support, and the ability to write stored
procedures, triggers, rules, nested sub-selects, foreign key
constraints, etc. etc. etc.  I'm not knocking MySQL here - I used it for
a long time, and for a < 5 sensor environment with a couple people
hitting the db infrequently, it works great.  But with 60-70 sensors,
you need something with some more advanced features.  

People frequently cite benchmarks that show that MySQL is very fast - it
is, because it uses table locking and has no trasaction support using
MyISAM.  PostgreSQL is slower because it _always_ uses transactions and
row-level locking.  However, as soon as you switch to MySQL's InnoDB
engine, your speeds drop down to PostgreSQL-like levels.  That's just a
side effect of adding transaction support, which is a feature that you
DO need in a larger environment.

Hope this helps you in your decision process,

Andrew


Andrew Hutchinson
Vanderbilt University Medical Center
Informatics / NCS / Network Security
(615) 936-2856

-----Original Message-----
From: tfandango [mailto:tfandango () yahoo com] 
Sent: Wednesday, February 12, 2003 9:39 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Best Enterprise Snort Configuration


Good news, I have a go for a Snort R&D project to
prove that Snort can handle the traffic that our
current commercial $oftware does.

So I have a few questions...

What is the best enterprise setup?  I estimate that we
will need about 60-70 sensors when it's all said and
done.  For an R&D project, I figure that I will start
with about 2 sensors running linux.

So what snort-related tools do you guys like the best?
 I will probably try to use mySQL to start off with
and log to a central database somewhere.  But what
tools are available to remotely manage the snort
application, display the all sensor alerts in near
realtime on some central console (I assume this will
be something that polls the database), etc, etc.

Just looking for some opinions in this area!  Thanks!

tfandango 

__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: