Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Horsepower

From: Saad Kadhi <saad () docisland org>
Date: Wed, 19 Feb 2003 17:42:15 +0100
On Wed, Feb 19, 2003 at 07:50:06AM -0800, Snow Jacob C KPWA wrote:

Curious as to which would need more horsepower in a multiple sensor ->
central DB configuration?  My guess would be the central DB since the others
are just kind of dumb sensors feeding the info to the central DB, but
thought I would pose the question to the group.

it really depends on  the  amount  of  data  you  are  looking  at,  the
preprocessors you have activated and if any extra formatting  is  needed
before sending the data to the central db.

that's why, many ppl on this list recommend using barnyard if  you  have
mysql. but as you might have  noticed  from  the  reported  experiences,
mysql doesn't scale well if you have truckloads of data [1].

to keep it simple, the central db needs horsepower and a good  nic.  and
more horsepower if you are going to ssl-tunnel all  data  that  hits  it
from all fronts.

the sensors don't necessarily need all the  horsepower  the  central  db
might have. they certainly  need  good  nics.  but  if  you  can  afford
horsepower, so the more the better 8~). here are some  good  links  that
may help you [2]:

  http://www.theadamsfamily.net/~erek/snort/perf.txt
  http://www.theadamsfamily.net/~erek/snort/MySQL_optimize.txt

--
[1] this is based on a crystal-ball(tm) interpretation of  the  posts  I
    have seen on this list. never had to deal with mounds of bits or  xx
    sensors.
[2] Erek, you really should convince the pig maestros to  add  those  to
    the faq. they keep coming at least once a week 8~)
-- 
Saad Kadhi -- [saad () docisland org] [saad.kadhi () hapsis fr]
[pgp keyid: 35592A6D http://pgp.mit.edu]
[pgp fingerprint: BF7D D73E 1FCF 4B4F AF63  65EB 34F1 DBBF 3559 2A6D]
---


-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: