Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort/Barnyard2 performance with remote DB

From: Mike Lococo <mikelococo () gmail com>
Date: Tue, 28 Feb 2012 17:51:35 -0500
On 02/27/2012 10:24 AM, turki wrote:

Is there a way to evaluate the performance of sending alerts from
Snort/Barnyard2 to a remote DB?


Use barnyard2 to do this measurement. Create an empty DB and set up the 
schema and permissions. Time a barynard2 run against a single U2 file. 
Count how many alerts are in the DB and do the math to calculate your 
insert rate.

Also, many folks have suggested that barnyard2 will not create a 
bottleneck under any circumstances, which isn't true.  Barnyard2 won't 
bottleneck on CPU, RAM, or IO... but it can bottleneck due to network 
latency.  It has a single insert thread that requires requires ~7 tcp 
roundtrips to insert an alert into the DB.  If your DB is on a lan, 
you'll have a few milliseconds of latency and will be able to insert 100 
alerts per second or maybe even more, which is enough for a pretty 
chatty ruleset on a pretty big site.  If you have 200ms of latency due 
to a transatlantic link, you'll top out a 1-2 alerts per second which 
will bottleneck most sites.  This is tricky to diagnose, your DB will 
appear idle and barnyard2 will not use much CPU, but it will fall behind 
further and further on inserts.  Details on this issue are in a by2 
mailing list thread:

http://groups.google.com/group/barnyard2-users/browse_thread/thread/b2ef14bbc4ebe060

So, if you have a reasonably well-tuned ruleset and a DB with lan 
latency, barnyard2 won't be a bottleneck.  If you have a very high event 
rate, or a lot of network latency it absolutely will be.  This will 
improve with the new schema, but it won't scale to high-event rates on 
high-latency links without a substantial change to the DB output framework.

Cheers,
Mike Lococo

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: