Snort mailing list archives
Re: Best practices for very high volume install..
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 20 Dec 2010 20:02:05 -0500
Using unified2 and barnyard2 removes the output logging slowdown from Snort. It can go very very fast. Most of the speed can be found in reducing ruleset and tuning. Sent from my iPhone On Dec 20, 2010, at 6:27 PM, "Castle, Shane" <scastle () bouldercounty org> wrote:
Using Barnyard? The claim is that with Barnyard2 a 10G link can be supported. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: Wil Schultz [mailto:wschultz () bsdboy com] Sent: Monday, December 20, 2010 14:25 To: snort-users () lists sourceforge net Subject: [Snort-users] Best practices for very high volume install.. Hey there, have a very high traffic install (snort 2.9/barnyard2) that I'm trying to get into a good and usable position. At this point I've got a gig port that's saturated to the box so we're going to do a 2g port-channel here in a bit. So far I've come to the conclusion that mysql binary logging isn't realistic, so it's been turned off. Additionally I've got a script that runs at midnight to purge alerts that are greater than 2 days old. I'm considering putting the database into RAM for a little more speed. Does anyone else have some other best practice type suggestions for a very high traffic box? -wil ------------------------------------------------------------------------ ------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Best practices for very high volume install.. Wil Schultz (Dec 20)
- Re: Best practices for very high volume install.. Castle, Shane (Dec 20)
- Re: Best practices for very high volume install.. Joel Esler (Dec 20)
- Re: Best practices for very high volume install.. Jefferson, Shawn (Dec 21)
- Re: Best practices for very high volume install.. Weir, Jason (Dec 21)
- Re: Best practices for very high volume install.. Jefferson, Shawn (Dec 21)
- Re: Best practices for very high volume install.. Crook, Parker (Dec 21)
- Re: Best practices for very high volume install.. Matthew Jonkman (Dec 21)
- Re: Best practices for very high volume install.. Joel Esler (Dec 20)
- Re: Best practices for very high volume install.. Castle, Shane (Dec 20)