Re: Stream/Packet Capture with Snort

[Richard Bejtlich <taosecurity () gmail com>]

On 5/10/05, Paul Melson <psmelson () comcast net> wrote:
> Right now I'm logging alerts directly from Snort to MySQL.  The MySQL
> database is on another box with more than enough resources to handle what
> I'm considering throwing at it.  So are you saying that the performance of
> the Snort sensor itself is going to suffer, and if so, in what way(s)?

Hello Paul,

This is my understanding and I would welcome any clarifications from
the Snort gods.

When Snort processes a packet, and needs to insert an alert into the
database, Snort blocks while processing the insert.  Snort is not
multi-threaded.  If your database inserts are slower than the ability
of Snort to keep up with packet processing, you will drop packets.  If
your Snort process and DB are different boxes, and the link goes down,
Snort will have major problems.

Barnyard and other spool readers make a huge difference.  Snort writes
its output to disk.  Barnyard reads the output and takes care of the
inserts to the DB.

Decoupling that process allows Snort to run as fast as possible, and
the system becomes more tolerant of delays or breaks in the line
between the sensor and DB.

Few configuration guides or books seem to mention this important use
of Barnyard.  There are exceptions of course.

Sincerely,

Richard
http://www.taosecurity.com


-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_ids93&alloc_id281&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users