Snort mailing list archives
Re: Snort/Barnyard2 performance with remote DB
From: Jan Seidl <lists () heavyworks net>
Date: Mon, 27 Feb 2012 16:33:26 -0300
Yes, Martin is right. Even if you get some clog in mysql or the network, barnyard2 will ship all the results as the unified2 files will be written and wont be lost. If you still want to have near real-time mysql archiving due the use of snorby or BASE, you might want to fine tune your setup. BTW, i forgot to mention this article which covers others mysql benchmarking tools: http://www.devshed.com/c/a/MySQL/MySQL-Benchmarking-Tools-and-Utilities On Mon, Feb 27, 2012 at 4:29 PM, Martin Holste <mcholste () gmail com> wrote:
My point was that Barnyard performance is largely irrelevant. Do you have some reason to believe it is not performing well? In any case, you are essentially asking for an alerts-per-second statistic, which you could get manually with: SELECT COUNT(*) AS count, timestamp FROM event WHERE timestamp > DATE_SUB(NOW(), INTERVAL 60 SECOND) GROUP BY timestamp ORDER BY timestamp; That will show you alerts-per-second for the last minute. On Mon, Feb 27, 2012 at 1:22 PM, turki <turki_00 () yahoo com> wrote:I am 100% convinced (and this what I am implementing right now) that using barnyard2 is more appropriate to insert alerts to DB rather than leaving this process to Snort by itself. However, maybe I need to further explain my question: How can I evaluate/measure barnyard's INSERT process to remote DB? or in other words, how can we measure the throughput or the performance of barnyard2 while shipping alerts to remote database. I would imagine something like barnyard ability to send alerts/seconds factor or something.... Thank you, Turki ________________________________ From: Martin Holste <mcholste () gmail com> To: Joel Esler <jesler () sourcefire com> Cc: turki <turki_00 () yahoo com>; "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Sent: Monday, February 27, 2012 12:05:14 PM Subject: Re: [Snort-users] Snort/Barnyard2 performance with remote DB Since you're already using Barnyard2, Turki, it sounds like you're wondering if you should be concerned with Snort performance or Barnyard's INSERT performance. The answer is that you should be concerned solely with Snort performance in almost all scenarios. Barnyard will INSERT as fast as it can, and since the data is safely on disk already as it does this, if it gets behind for a few minutes or hours, it's generally not a major issue. However, if your alert volume is so great that you are overwhelming Barnyard, then your problem is not actually Barnyard but that you are alerting too much. That means you need to tune your rule set. More than about 10 alerts per second is more than most small or medium networks generate, and more than 100 alerts per second is highly unusual and probably indicates a tuning problem. On Mon, Feb 27, 2012 at 10:01 AM, Joel Esler <jesler () sourcefire com> wrote:On Feb 27, 2012, at 10:24 AM, turki wrote: Hello Snort users, I am using Snort (2.9.0.5) and Barnyard2 (1.9) with a configuration that sends alerts to a database. MySql DB is the storage unit to save these alerts and it is in separate machine from the Snort/Barnyard2 machine. my question, Is there a way to evaluate the performance of sending alerts from Snort/Barnyard2 to a remote DB? Is the focus here to monitor the throughput of the Snort node or the DB node? any recommended benchmark tools for such experiment? So, a couple of thoughts here that may point you in the right direction. Snort, when outputting directly to DB has to stop being an IDS in order to "INSERT" into the db. That's not generally a good thing! We recommend using Snort to output to unified2 and having barnyard2 input into the DB. We are actually going to be removing the direct-to-db output from Snort in the next major release (2.9.3) Joel ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort/Barnyard2 performance with remote DB turki (Feb 27)
- Re: Snort/Barnyard2 performance with remote DB Joel Esler (Feb 27)
- Re: Snort/Barnyard2 performance with remote DB Martin Holste (Feb 27)
- Re: Snort/Barnyard2 performance with remote DB turki (Feb 27)
- Re: Snort/Barnyard2 performance with remote DB Martin Holste (Feb 27)
- Re: Snort/Barnyard2 performance with remote DB Jan Seidl (Feb 27)
- Re: Snort/Barnyard2 performance with remote DB beenph (Feb 27)
- Re: Snort/Barnyard2 performance with remote DB turki (Feb 28)
- Re: Snort/Barnyard2 performance with remote DB Martin Holste (Feb 27)
- Re: Snort/Barnyard2 performance with remote DB Joel Esler (Feb 27)
- Re: Snort/Barnyard2 performance with remote DB Jan Seidl (Feb 27)
- Re: Snort/Barnyard2 performance with remote DB beenph (Feb 28)
- Re: Snort/Barnyard2 performance with remote DB Mike Lococo (Feb 29)
- Re: Snort/Barnyard2 performance with remote DB Jason Haar (Feb 29)
- Re: Snort/Barnyard2 performance with remote DB turki (Feb 29)
- Re: Snort/Barnyard2 performance with remote DB Jason Haar (Feb 29)
- Re: Snort/Barnyard2 performance with remote DB beenph (Feb 29)