Snort mailing list archives
Re: Purchasing New Equipment for Snort
From: "Merida, Dylan" <Dylan.Merida () EKU EDU>
Date: Wed, 20 Apr 2011 17:12:14 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin, Thanks for this information. One our sys admins had discussed with me that a change to innodb could improve performance. I know that the default snort schema uses myisam, so I wasn't sure if innodb could be used. Does anything special need to be done in addition to changing the table type and making sure the key buffer size is large enough? On the MySQL 5.5 issue, should we see a performance increase just by upgrading the server version? I'm sure you know that BASE uses the adodb libraries and they aren't updated often. I'm not sure about Barnyard, can it use MySQL 5.5 client libraries if compiled with 5.5 installed? Thanks for your time, Dylan Merida Security Analyst Information Technology Eastern Kentucky University NOTE: IT @ EKU will NEVER request passwords or other personal information via email. Messages requesting such information are fraudulent and should be deleted. On Apr 18, 2011, at 10:58 PM, Martin Holste wrote:
Since Snort won't be utilizing the disk much, you should get one beefy box (>=16 cores) and a ton of ram and disk and run it all on one box. You could get two, but this saves a lot of sys admin overhead. Make sure your tables are using innodb and allocate at least as much key buffer memory as it will take to fit the keys for your tables in memory. You can find that with the index_length column in the information_schema.tables system table. Also, be sure to use Mysql 5.5 as it has many performance improvements. Postgres trolls/snobs will also point out that pgsql has better concurrency rates, and so may be better suited for this scenario. On Monday, April 18, 2011, Merida, Dylan <Dylan.Merida () eku edu> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey All, It's come time for EKU to do some equipment upgrades. I have the opportunity to throw some beefy hardware at snort and its database server. Our current set up is running on one single core 3.2 GHz Xeon with 12 GBs of RAM. The MySQL database is hosted on a separate box that's a multicore Xeon; it also serves one other purpose, so the load is quite high (and slow) when performing extensive database queries. I'm currently running one sensor at egress/ingress to the internet. I would like to deploy 4 more sensors throughout our network and run this on one multicore box. We currently average about 1.5 million alerts a day on a gigabit pipe that averages around 300 Mbps. Queries are quite slow when examining a large dataset (like 24 hrs), so I also want queries to be extremely fast in BASE and Snorby. My question is this: If I could buy two servers with any specs that I wanted, what would allow me to run 5 sensors on one box and a beefy MySQL database on another that can run most queries in under 10 seconds? So far, we've tried some tests with a large storage box with SSD cache running FreeBSD and ZFS. There appear to be some limitations in the FreeBSD MySQL daemon. I'd also like to know what OSes you might suggest. (We're fans of Red Hat, but are open to anything.) Also, would you run Barnyard on the sensor box or push the alerts to the DB server and then parse them from there? Let me know what you think. Thank you, Dylan Merida Security Analyst Information Technology Eastern Kentucky University NOTE: IT @ EKU will NEVER request passwords or other personal information via email. Messages requesting such information are fraudulent and should be deleted. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJNrI+7AAoJEJZGFwhgpNqAmmwP/ifR85gorE61RX1NA/8YHiN/ twLKVoO96gack5KeQKpHgbEHOiN0knJpGqujeGhEbQo11ogPOa+6hau4/j3oYme5 V14iq7GpT49jmjVnzKcCJy34OooyRckWN6ANdsx1lVMh/C8CvF7oVmONp8YFNTYl W+mmic0GJ4Lmxp9gIfvZzwwg0AhaQgJVwdGm/C1AhfpRFlUzvG4AB5gagJ5Ws4as fE8EQqMmb8w53JLXwY/DpRi1GB/xIOrgRbAN8KIKtig9+Mij6XrKWYR+vDXPlp/7 ctnb67cbC0oLU9kh4Jq/HngbyvcI0mGsQ7HiIR86PUl7OIZPa05wXV1DesK4RoFJ c7mtbnzvqnGKuRC3P3zSlQxj+vqHOjpEUB7ERe1sJYwQAlQuLKJdWuljYh2h3WRr uOm3C/tFzDpgYwHP+r2+nhExm3AC2jY2XhJxsg+boeBGqstvHNo6vK6q6Ofxa5Jr NW3kwT4tejKMnwg32fauHVSVsYk3EnBU0Aola0UrRppOPOgsqTyoPbmVpZSPg4r4 92hyg5f+ymxx1++OP6isFr1Mgvv6mKA5pXB5sFhG1+IoporigjpvK+KCpOJWu/w/ dLckh+Ap2JRSpP6s3cKzjqS59EXE3KD91lRI6Ark6Fp+w91M/MLyvcG/HbsO7Nn5 gmB7ZDtYz12FZ4UvbQH+ =Q3dr -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJNr0wyAAoJEJZGFwhgpNqAm2oP/1PYP7mS4H7JqJqzO2bGOsgh ep1cyphppzVcidACXyxi7Me00+1KiFwT5MXhj4uOlo34a34wj5z+WKSQTtzKog38 fQJ0KDCNTeFPCYODKs2z7U2OphIzicAcnxdINx4/UBETXfnLKIkQfb3gQXXZJ0dY nw6SZhqHtYq8rU5oo4egjBdSI36Bg6nN1OmH8w930P4/SOT6vvR4G7a0VsP0kl+1 C6g3Sqmmp+6EsMh/mY+ChYcbqDbUGeqz6Qo1ZlcxWLwrkS4e1JIDgSFvka77moVD 0cTGTTBglJFm/hapNf3CE2x2rmMlJ5cEPLx2LEQJG5+TwB8d+GpgE/05q2acBpa4 ae8Fd4M+ahYzKXZO/WMPLDqYngXIKRbCGL2BoTZMdeP4RmXyB54VRxhZp9e1Akm4 8voYzGZ5vka+ch7QwUju4LG/SUbdPGFw9cBOQY/8NBfmZbys1VvdSWCHn/Y8+Csg vAaTY4AfwuhUiUx5gydf9a4t+qvSUXaiMM2lMIfjgt4xEnPXNPjtEJoqh1GVjzda 7E4HPcKVJQ4MBi8rHkyR+B9sXoYVijhc18nYc0lSlrStvkpMdjkEh+cP4rxBARsn V7nUpF4eIfC6upJUN1w9UOXnkIHboIzC75+FvBwCr4XbDmnaMKpsuzUkVTetDDzB GXBG+KNSO/dXZXz4MwIA =Ic+b -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Purchasing New Equipment for Snort Merida, Dylan (Apr 18)
- Re: Purchasing New Equipment for Snort Martin Holste (Apr 18)
- Re: Purchasing New Equipment for Snort Merida, Dylan (Apr 20)
- Re: Purchasing New Equipment for Snort Martin Holste (Apr 20)
- Re: Purchasing New Equipment for Snort Randal T. Rioux (Apr 22)
- Re: Purchasing New Equipment for Snort Merida, Dylan (Apr 20)
- Re: Purchasing New Equipment for Snort Martin Holste (Apr 18)