Snort mailing list archives
Re: Where's Waldo?
From: beenph <beenph () gmail com>
Date: Thu, 11 Oct 2012 18:02:35 -0400
On Thu, Oct 11, 2012 at 5:13 PM, Paul Schmehl <pschmehl_lists () tx rr com> wrote:
--On October 11, 2012 8:58:12 PM +0100 Peter Bates <peter.bates () ucl ac uk> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all On 11/10/2012 20:29, AllowOverride wrote:just a test, i will clear tables, and close browser, come back in 1 hour increments, and see if that is the issue, it takes an hour to input new data after base clear table buttons have cleared. im assume there is a switch in the configs to make it quicker.I've never personally looked for the option to clear tables in BASE but I can say I use a script called archivesnort.pl which moves alerts after 7 days to the archive DB and deletes them after 30.
The condition mentioned earlyer by Waldo Kitty is called "backlog" Backlog is a state is a state where you are receiving/generating alot of unified2 event, so mutch that even if barnyard2 is reading them its not outputing them fast enough. That state was easily observable with barnyard2 2-1.9 if you where outputing to database on a busy database or high latency link because of the way that the original port for the database output was written. Generating 1 query for every table and querying signatures tables at every event. The rewrite of 2-1.10 database output plugin was mainly done to address that issue and others but now events are written in a single block and signature query are done only if the signature was not already in cache. The minimum insert throughtput performance has been by 8 to 10 fold if not more in some cases. So if you observe backlog on 2-1.10 i would be interested known things like: 1) what is your backend dbms 2) whats the network latency betwen your barnyard2 node 3) how many events/second you are generating. I hope this shed some light on previous observation done by the concerned party. -elz ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Where's Waldo?, (continued)
- Re: Where's Waldo? AllowOverride (Oct 09)
- Re: Where's Waldo? Paul Schmehl (Oct 09)
- Re: Where's Waldo? AllowOverride (Oct 10)
- Re: Where's Waldo? waldo kitty (Oct 10)
- Re: Where's Waldo? AllowOverride (Oct 10)
- Re: Where's Waldo? waldo kitty (Oct 10)
- Re: Where's Waldo? AllowOverride (Oct 11)
- Re: Where's Waldo? Peter Bates (Oct 11)
- Re: Where's Waldo? Paul Schmehl (Oct 11)
- Re: Where's Waldo? Joel Esler (Oct 11)
- Re: Where's Waldo? beenph (Oct 11)
- Re: Where's Waldo? AllowOverride (Oct 11)
- Re: Where's Waldo? AllowOverride (Oct 11)
- Re: Where's Waldo? AllowOverride (Oct 11)
- Re: Where's Waldo? AllowOverride (Oct 11)
- Re: Where's Waldo? Michael Steele (Oct 11)
- Re: Where's Waldo? Castle, Shane (Oct 11)
- Re: Where's Waldo? AllowOverride (Oct 11)
- Re: Where's Waldo? AllowOverride (Oct 11)
- Re: Where's Waldo? Paul Schmehl (Oct 11)
- Re: Where's Waldo? AllowOverride (Oct 12)